securitylab_nJuly 12, 2026🇷🇺Translated from Russian

No Hacker Genius Needed: One Login and 49 Minutes Suffice in Injective Supply Chain Attack

A seemingly ordinary update to a cryptocurrency wallet library became a sophisticated supply-chain attack that handed attackers full control over user funds in just 49 minutes. The malicious code was inserted into the official @injectivelabs/sdk-ts package for the Injective blockchain, allowing it to silently harvest recovery phrases and private keys whenever users created or imported wallets.

The compromised version 1.20.21 appeared on npm on July 8, 2026. This library, maintained by Injective Labs, is downloaded approximately 175,000 times per month and is used by decentralized applications to generate wallets, sign transactions, and interact with the Injective network. Attackers did not need to steal a publishing token; they simply gained access to the account of a long-standing trusted contributor and pushed the backdoor directly into the main branch, after which the project's automated CI/CD pipeline built and published the tainted release.

The malicious module was cleverly disguised as an anonymous statistics collector that measured key-generation speed and methods. In reality, it intercepted sensitive data inside the functions PrivateKey.fromMnemonic() and PrivateKey.fromHex(), encoded the stolen recovery phrases or private keys, and transmitted them in the X-Request-Id HTTP header to a server that mimicked a legitimate Injective infrastructure node. The code remained dormant until an application actually created or loaded a wallet, reducing the chance of early detection while ensuring high-value data was captured.

The attack did not stop at the core SDK. The same day, 17 additional Injective Labs packages were released at version 1.20.21, all depending on the compromised library. Although these packages contained no malicious code themselves, they automatically pulled in the dangerous dependency. Security firm OX Security identified 87 third-party packages that transitively depended on the affected components.

Developers detected the intrusion and published a clean version 1.20.23 within 49 minutes. Nevertheless, Socket recorded at least 310 downloads of the malicious release, and cached copies may still exist in intermediate registries, CI caches, or developer environments. Researchers from Datadog Security Labs, Socket, StepSecurity, and OX Security emphasize that any recovery phrase or private key processed by the tainted code must be considered fully compromised.

Users who installed any @injectivelabs package at version 1.20.21 are strongly advised to upgrade immediately to 1.20.23, audit both direct and transitive dependencies, generate fresh keys, and transfer all assets to newly created wallets that have never interacted with the compromised library.