Injective Labs SDK Backdoor: A 49-Minute Crypto Wallet Hack

Injective Labs SDK backdoor code compromising crypto wallets during supply chain attack

An ordinary cryptocurrency wallet library update quickly transformed into a devastating trap. Within just 49 minutes, this trap could hand attackers complete control over user funds. Specifically, malicious actors embedded a malicious code payload into the @injectivelabs/sdk-ts package for the Injective platform. This dangerous code actively stole recovery phrases and private keys whenever a user created or loaded a crypto wallet.

This harmful code first appeared on July 8, 2026, within version 1.20.21 on the npm registry. The compromised package belongs to the official Injective Labs software development kit. It helps applications create wallets, sign transactions, and interact seamlessly with the Injective blockchain. According to a detailed analysis of the Injective Labs SDK backdoor by Datadog Security Labs, developers download this library approximately 175,000 times every month.

Disguised Telemetry Data Theft

The attacker cleverly disguised this data theft as anonymous telemetry collection. The injected module supposedly measured key creation speeds and retrieval methods. However, it actually intercepted the recovery phrase or private key during calls to specific private key functions. Afterward, the system encoded the stolen data and transmitted it via standard web headers. The destination server closely mimicked a regular Injective infrastructure node.

Furthermore, this malware did not execute immediately upon installation. The malicious code triggered only when an application actively created or opened a wallet. Consequently, this delayed approach significantly reduced the chances of rapid detection. Simultaneously, it ensured the intercepted data could successfully restore keys and access the cryptocurrency.

Compromised Maintainer Account

The attackers introduced these malicious changes directly into the main branch of the official repository. They operated under the guise of a longtime project developer. Subsequently, the standard automated build system unknowingly compiled and published the infected version to npm. Security experts believe the attackers successfully compromised the account of a trusted project maintainer. Therefore, they did not even need a separate package publication key.

This attack affected more than just the primary development kit. Simultaneously, 17 other Injective Labs packages released version 1.20.21. These packages directly referenced the infected library. Although they lacked inherent malicious code, they automatically downloaded the dangerous dependency during installation. Analysts identified numerous third-party packages relying on these compromised components.

Remediation and Next Steps

Fortunately, the developers reverted the changes and released a clean version roughly 49 minutes later. However, this brief exposure window does not guarantee zero damage. Trackers recorded hundreds of downloads of the malicious version. Furthermore, saved copies might still linger in caching proxies and automated build environments.

Experts advise anyone who installed the compromised @injectivelabs version to immediately upgrade their systems. You must thoroughly check both direct and nested dependencies. Assume that any recovery phrases and private keys processed by the infected code are fully compromised. Finally, wallet owners must generate new keys and transfer their funds to secure addresses immediately.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply