Embedded Malicious Code Affecting @injectivelabs/sdk-ts package, versions =1.20.21


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-INJECTIVELABSSDKTS-17911353
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditKarlo Zanki

Introduced: 8 Jul 2026

New Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the @injectivelabs/sdk-ts package.

Overview

@injectivelabs/sdk-ts is a SDK in TypeScript for building Injective applications in a browser, node, and react native environment.

Affected versions of this package are vulnerable to Embedded Malicious Code. The compromised version of this package contains a malicious trackKeyDerivation() function inserted into the account modules accounts-jQ1GSgaW.js and accounts-Cy0p4lLW.cjs, which hooks the fromMnemonic() and fromHex() key-derivation functions to capture full mnemonic phrases and private-key material. The code base64-encodes the captured secrets and exfiltrates them through a POST request to a character-obfuscated endpoint intended to resemble Injective infrastructure. It executes during normal library use rather than at install time, to evade detection.

The same actor also published version 1.20.21 of 17 other @injectivelabs/* packages, but those packages contain no additional malicious code of their own. They are implicated solely because each pinned the compromised @injectivelabs/sdk-ts@1.20.21 as a dependency, pulling the backdoor in.

Note: The compromised version has been labelled "compromised" and deprecated on npmjs.com, but not removed as of the time of publication.

References

CVSS Base Scores

version 4.0
version 3.1