Supply chain hits npm registry immediately following the v12 release, proving developer ecosystems remain heavily targeted.
Breaking News: A malicious version of Injectivelabs/sdk-ts@1.20.21 was uploaded to the npm registry. The compromised package contains malware designed to exfiltrate cryptocurrency from victim machines.
Overview
The @injectivelabs/sdk-ts package was hijacked to deliver crypto-stealing malware. Because this package has 87 downstream dependents, any project utilizing a non-pinned version of the SDK during the window the attack was live automatically pulled the malicious update.
Notably, secondary packages within the Injective ecosystem were not directly injected with malicious code; instead, their dependency trees were modified to point explicitly to @injectivelabs/sdk-ts@1.20.21 to execute the payload indirectly.
Who is affected
Anyone who installed @injectivelabs/sdk-ts@1.20.21 or one of its dependents during the time it was live.
Impact
Impact: cryptocurrency exfiltration from the victim’s machine,
Reach: 87 dependent packages, combining for an accumulated 112,378 downloads count.
Recommended Actions
- Update to a fixed package of the affected packages immediately
- Add 2FA to your crypto-currency wallets and check for suspicious transactions
Technical Analysis

The malware adds crypto wallet stealing logic to a crypto wallet package, every time a legitimate user creates or uses the logic that reads mnemonic phrases – which are basically the master key for any crypto wallet, the malware reads them and sends them to the remote server.

It’s interesting to note that the threat actors targeted a crypto currency npm package for the malicious stealing logic – to ensure that their victims use the wallet handling logic directly.
The malware contains an obfuscated string which translates to the remote C2 server testnet.archival.chain.grpc-web[.]injective[.]network

Since the malware is highly targeted, only the collection and sending logic was added, showing that this was a rather targeted attack and not a wide-spread malware such as Shai-Hulud and it’s variants.
Affected Packages
| Package name | Affected versions |
| @injectivelabs/sdk-ts | 1.20.21 |
| @injectivelabs/utils | 1.20.21 |
| @injectivelabs/networks | 1.20.21 |
| @injectivelabs/ts-types | 1.20.21 |
| @injectivelabs/exceptions | 1.20.21 |
| @injectivelabs/wallet-base | 1.20.21 |
| @injectivelabs/wallet-core | 1.20.21 |
| @injectivelabs/wallet-cosmos | 1.20.21 |
| @injectivelabs/wallet-private-key | 1.20.21 |
| @injectivelabs/wallet-evm | 1.20.21 |
| @injectivelabs/wallet-trezor | 1.20.21 |
| @injectivelabs/wallet-cosmostation | 1.20.21 |
| @injectivelabs/wallet-ledger | 1.20.21 |
| @injectivelabs/wallet-wallet-connect | 1.20.21 |
| @injectivelabs/wallet-magic | 1.20.21 |
| @injectivelabs/wallet-strategy | 1.20.21 |
| @injectivelabs/wallet-turnkey | 1.20.21 |
| @injectivelabs/wallet-cosmos-strategy | 1.20.21 |
Conclusions
Less than 24 hours since npm v12 is out, we’re seeing what we always said – supply chain attacks are here to stay, and they found the npm registry as their new home.
These operations don’t even need to be highly sophisticated—they just need to work. As long as threat actors can compromise developer accounts via stolen GitHub access tokens, phishing, or account takeovers, they can upload malicious iterations without a single automated guardrail standing in their way.
Attackers don’t need to hit your main application repository directly—they just need to poison its dependencies. If you aren’t monitoring what your code is bringing in – you’re cooked. This campaign perfectly illustrates this tactical evolution: the threat actors pinned the other @injectivelabs dependencies to a malicious version. By keeping those secondary packages clean of malicious code, the core malware evades detection longer, buying it time to spread through the registry, and even more time in unofficial registries.


