Injective Labs GitHub repo compromised, pushes wallet-key-stealing npm package (@injectivelabs/[email protected])
Attackers compromised the Injective Labs SDK GitHub repository and shipped a poisoned release, @injectivelabs/[email protected], with fake telemetry code that exfiltrates cryptocurrency wallet private keys and mnemonic seed phrases from anything importing it. Same TTP shape as the Laravel-Lang and GitHub-Releases-as-dropper campaigns this series has tracked before - a trusted maintainer account or repo gets popped, then the poisoned version rides the normal update path into every downstream project. If you or a dependency pull @injectivelabs/sdk-ts, pin off 1.20.21, audit for the version in lockfiles across your org, and rotate any wallet keys that touched a machine running it.