Back to Intelligence

Injective Labs GitHub Compromise: Detecting and Blocking Malicious npm Packages Targeting Crypto Wallets

SA
Security Arsenal Team
July 10, 2026
6 min read

Recently, the GitHub account of Injective Labs was compromised, leading to the publication of malicious npm packages designed to steal cryptocurrency wallet keys. This supply chain attack highlights a critical vulnerability in the dependency management chain that could result in significant financial losses for developers and users of affected applications. Security teams must immediately audit their npm dependencies and implement stronger controls to detect and prevent similar attacks.

Technical Analysis

The attack exploited the trust placed in packages published by verified GitHub users through npm. When the Injective Labs GitHub account was compromised, attackers were able to publish malicious versions of their npm packages. These packages contained obfuscated JavaScript code designed to exfiltrate cryptocurrency wallet keys from development and production environments.

The attack chain works as follows:

  1. Compromise of Injective Labs GitHub account
  2. Publishing of malicious npm packages under the trusted name
  3. Installation of the malicious packages by unsuspecting developers
  4. Execution of wallet key-stealing code during package runtime
  5. Exfiltration of stolen keys to attacker-controlled infrastructure

This attack technique leverages the trust model of package managers and can be difficult to detect without proper security controls in place. The malicious code often uses obfuscation techniques to evade static analysis and may only trigger under specific conditions to avoid detection during normal testing.

Detection & Response

SIGMA Rules

YAML
---
title: Suspicious npm Package Installation from Injective Labs
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
status: experimental
description: Detects installation of potentially compromised npm packages from Injective Labs following the GitHub compromise.
references:
  - https://thehackernews.com/2026/07/injective-labs-github-compromise-pushes.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.initial_access
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\npm.cmd'
    CommandLine|contains:
      - '@injective-protocol'
      - 'injective-labs'
  condition: selection
falsepositives:
  - Legitimate installations of Injective Labs packages (verify versions)
level: high
---
title: Cryptocurrency Wallet Key Exfiltration via Node.js Process
id: b2c3d4e5-f6a7-8901-2345-678901bcdef
status: experimental
description: Detects Node.js processes attempting to send wallet key data to external endpoints.
references:
  - https://thehackernews.com/2026/07/injective-labs-github-compromise-pushes.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.exfiltration
  - attack.credential_access
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith: '\node.exe'
    DestinationPort:
      - 80
      - 443
      - 8080
  filter:
    DestinationHostname|contains:
      - 'github.com'
      - 'npmjs.com'
      - 'npm.pkg.github.com'
  condition: selection and not filter
falsepositives:
  - Legitimate Node.js network activity
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Detect installation of potentially compromised npm packages
DeviceProcessEvents
| where ProcessName =~ "npm.cmd"
| where ProcessCommandLine has "@injective-protocol" or ProcessCommandLine has "injective-labs"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Detect potential wallet key exfiltration from Node.js processes
DeviceNetworkEvents
| where ProcessName =~ "node.exe"
| where RemotePort in (80, 443, 8080)
| where RemoteUrl !contains "github.com" and RemoteUrl !contains "npmjs.com" and RemoteUrl !contains "npm.pkg.github.com"
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for potentially compromised npm packages
SELECT * FROM glob(globs='*/node_modules/@injective-protocol/*/package.')
WHERE 
  -- Check for recent modifications
  Mtime > timestamp(now="-7d")
  OR
  -- Check for suspicious package versions
  Content =~ "wallet" OR Content =~ "key" OR Content =~ "seed"

-- Hunt for npm install commands involving Injective Labs packages
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "node.exe" 
  AND (CommandLine =~ "@injective-protocol" OR CommandLine =~ "injective-labs")

Remediation Script (PowerShell)

PowerShell
# Audit and remediate potentially compromised npm packages
# This script checks for and removes packages from Injective Labs released during the compromise period

function Check-InjectivePackages {
    param(
        [string]$ProjectPath
    )
    
    if (-not (Test-Path $ProjectPath)) {
        Write-Error "Path not found: $ProjectPath"
        return
    }

    $packageJsonPath = Join-Path $ProjectPath "package."
    
    if (Test-Path $packageJsonPath) {
        $packageJson = Get-Content $packageJsonPath | ConvertFrom-Json
        
        # Check dependencies and devDependencies for Injective packages
        $dependencies = @{}
        
        if ($packageJson.PSObject.Properties['dependencies']) {
            $packageJson.dependencies.PSObject.Properties | ForEach-Object { 
                $dependencies[$_.Name] = $_.Value 
            }
        }
        
        if ($packageJson.PSObject.Properties['devDependencies']) {
            $packageJson.devDependencies.PSObject.Properties | ForEach-Object { 
                $dependencies[$_.Name] = $_.Value 
            }
        }
        
        # Check for Injective Labs packages
        $injectivePackages = $dependencies.Keys | Where-Object { 
            $_ -like "*injective*" -or $_ -like "*@injective*" 
        }
        
        if ($injectivePackages) {
            Write-Host "Found Injective Labs packages in $ProjectPath:" -ForegroundColor Yellow
            foreach ($package in $injectivePackages) {
                Write-Host "  - $package : $($dependencies[$package])" -ForegroundColor Yellow
            }
            
            return $injectivePackages
        }
    }
    
    return @()
}

# Scan current directory and subdirectories
$currentPath = Get-Location
$projects = Get-ChildItem -Path $currentPath -Directory -Recurse | 
            Where-Object { Test-Path (Join-Path $_.FullName "package.") }

$totalProjects = 0
$affectedProjects = 0

foreach ($project in $projects) {
    $totalProjects++
    $packages = Check-InjectivePackages -ProjectPath $project.FullName
    
    if ($packages.Count -gt 0) {
        $affectedProjects++
        
        Write-Host "\nPotentially compromised packages found in: $($project.FullName)" -ForegroundColor Red
        
        # Ask for confirmation before removing packages
        $response = Read-Host "Do you want to remove these packages? (Y/N)"
        
        if ($response -eq "Y" -or $response -eq "y") {
            Set-Location $project.FullName
            
            foreach ($package in $packages) {
                Write-Host "Removing package: $package" -ForegroundColor Cyan
                npm uninstall $package
            }
            
            # Reinstall with latest verified versions
            $reinstall = Read-Host "Do you want to reinstall the packages with the latest verified versions? (Y/N)"
            
            if ($reinstall -eq "Y" -or $reinstall -eq "y") {
                foreach ($package in $packages) {
                    Write-Host "Installing latest verified version of: $package" -ForegroundColor Cyan
                    npm install $package@latest
                }
            }
            
            Set-Location $currentPath
        }
    }
}

Write-Host "\nScan complete. Scanned $totalProjects projects. Found issues in $affectedProjects projects." -ForegroundColor Green

# Additional hardening recommendations
Write-Host "\nAdditional hardening recommendations:" -ForegroundColor Cyan
Write-Host "1. Enable npm audit in your CI/CD pipeline" -ForegroundColor White
Write-Host "2. Implement package lock files (package-lock.) to ensure reproducible builds" -ForegroundColor White
Write-Host "3. Use npm's --ignore-scripts flag when installing packages from untrusted sources" -ForegroundColor White
Write-Host "4. Implement SLSA provenance checks for your dependencies" -ForegroundColor White
Write-Host "5. Monitor for unusual network activity from your Node.js applications" -ForegroundColor White

Remediation Steps

  1. Immediately audit all projects for installation of Injective Labs npm packages
  2. Remove any packages installed during the compromise window (July 2026)
  3. Reinstall packages only after verifying the package integrity and checking for official advisories
  4. Enable package integrity verification using npm's audit feature
  5. Implement dependency scanning in CI/CD pipelines to catch compromised packages automatically
  6. Review any code that uses these packages for potential wallet key exposure
  7. Rotate any cryptocurrency wallet keys that may have been exposed
  8. Enable strict dependency pinning to prevent automatic updates to compromised versions
  9. Monitor for unauthorized access to wallets or unusual transaction patterns

Additional Recommendations

  • Implement SLSA (Supply-chain Levels for Software Artifacts) framework for package verification
  • Use tools like Snyk, OWASP Dependency-Check, or GitHub Dependabot for continuous monitoring
  • Establish a policy for reviewing and approving new package additions
  • Educate development teams on the risks of supply chain attacks
  • Implement network monitoring to detect data exfiltration attempts from development systems
  • Use package-lock. to ensure reproducible builds and prevent unauthorized updates

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionnpm-supply-chaininjective-labscryptocurrency-securitywallet-key-stealingdependency-management

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.