Hackers compromised the GitHub repository of the Injective Labs SDK and used it to publish a malicious package on the Node Package Manager (npm) registry. The tampered package was designed to exfiltrate cryptocurrency wallet private keys and mnemonic seed phrases from affected systems.

This supply-chain attack targets developers and users integrating the Injective SDK, a toolkit for building on the Injective blockchain. While the full scope of the compromise remains under assessment, the theft of seed phrases poses a direct risk to funds stored in associated wallets, potentially leading to irreversible asset loss.

The infection vector relied on modifying the official SDK source repository before pushing a rogue version to npm. Once installed, the malicious code extracted sensitive cryptographic material from the local environment and communicated it to an attacker-controlled endpoint. Users who ran the affected package may have exposed their wallet credentials without immediate signs of compromise.

The Injective team has removed the malicious package from npm and is investigating the breach. As of now, no official patch or updated safe version has been announced. Developers should audit their dependencies for the compromised package, revoke any exposed keys, and migrate funds to new wallets immediately.

No threat actor has claimed responsibility, but the attack aligns with a broader trend of supply-chain intrusions targeting the JavaScript ecosystem. Organizations using Injective SDK components are advised to monitor repositories for future security advisories.