Back to Intelligence

Supply Chain Attack: Malicious Injective SDK npm Package v1.20.21 Exfiltrating Web3 Wallet Keys

SA
Security Arsenal Team
July 10, 2026
5 min read

Intelligence confirms an active supply chain attack targeting the blockchain development sector. An adversary successfully compromised a developer account associated with the Injective Labs TypeScript SDK, publishing a malicious version (1.20.21) to the official npm registry on June 8, 2026.

The malware is designed to act as an infostealer, specifically hooking into key generation functions within the SDK. Its primary objective is the theft of cryptocurrency assets by intercepting and exfiltrating private wallet keys and mnemonic phrases to an attacker-controlled infrastructure masquerading as a legitimate Injective testnet endpoint. This attack vector is particularly insidious as it inherits the trust of the legitimate package, allowing it to bypass standard dependency checks.

Threat Actor / Malware Profile

  • Threat Actor: Unknown (Financially Motivated)
  • Distribution Method: Software Supply Chain (Compromised Developer Credentials / Repo Poisoning)
  • Payload Behavior: The malicious code in @injectivelabs/sdk-ts v1.20.21 functions as a runtime hook. It intercepts calls related to cryptographic key generation and wallet creation within the host application.
  • C2 Communication: Exfiltration occurs via HTTPS POST requests to testnet.archival.chain.grpc-web.injective.network. The domain mimics the legitimate infrastructure of the Injective network to blend in with normal traffic.
  • Persistence: Persistence is achieved through the dependency itself; any application running the compromised package will execute the data theft logic during runtime operations involving wallet generation or access.
  • Anti-Analysis: By embedding within a widely used, legitimate library, the malware avoids signature-based detection and leverages the reputation of the npm registry.

IOC Analysis

The provided indicators allow for precise detection of this campaign:

  • File Hashes (SHA256): Two specific hashes correspond to the tainted package files. SOC teams should utilize EDR solutions to scan node_modules directories for these specific artifacts.
  • Network Indicators (URL/Hostname): The domain testnet.archival.chain.grpc-web.injective.network is the exfiltration sink. While similar to legitimate Injective infrastructure, specific DNS filtering and firewall rules should be applied to block access to this specific endpoint or alert on outbound connections from build agents/developer workstations.

SOC teams should operationalize these by uploading hashes to EDR allowlists/denylists and creating block rules for the hostname at the proxy/firewall layer.

Detection Engineering

YAML
title: Suspicious Network Connection to Injective SDK Exfil Domain
id: 9d2a1a3b-5c7d-4f8e-9a1b-2c3d4e5f6a7b
description: Detects outbound connections from Node.js processes to the known malicious exfiltration domain associated with the compromised Injective SDK.
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/612345678
logsource:
    category: network_connection
product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\node.exe'
        DestinationHostname|contains: 'testnet.archival.chain.grpc-web.injective.network'
    condition: selection
falsepositives:
    - Legitimate use of Injective testnet (unlikely for production workloads)
level: high
tags:
    - attack.credential_access
    - attack.exfiltration
    - supply_chain
---
title: Malicious Injective SDK Package File Creation
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects the presence of the malicious file hashes associated with the compromised @injectivelabs/sdk-ts v1.20.21 package.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
    category: file_event
product: windows
detection:
    selection_hash:
        Hashes|contains:
            - '103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0'
            - '9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9'
    selection_path:
        TargetFilename|contains: '\node_modules\\@injectivelabs\\sdk-ts\\'
    condition: all of selection_*
falsepositives:
    - None (High confidence IOCs)
level: critical
tags:
    - attack.resource_development
    - attack.t1195
---
title: Installation of Compromised Injective SDK via NPM
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects the installation of the specific malicious version 1.20.21 of the @injectivelabs/sdk-ts package using npm.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
    category: process_creation
product: windows
detection:
    selection_img:
        Image|endswith:
            - '\npm.cmd'
            - '\npm.exe'
            - '\npx.cmd'
            - '\npx.exe'
    selection_cli:
        CommandLine|contains: '@injectivelabs/sdk-ts'
    selection_version:
        CommandLine|contains: '1.20.21'
    condition: all of selection_*
falsepositives:
    - Developers intentionally testing this version (unlikely given severity)
level: high
tags:
    - attack.supply_chain


kql// KQL Hunt for Exfiltration Domain
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "injective.network" 
| where RemoteUrl has "testnet.archival"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemotePort
| extend FullUrl = strcat("https://", RemoteUrl)
// KQL Hunt for Malicious File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0", "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


powershell# PowerShell IOC Hunt Script for Malicious NPM Package
# Requires administrative privileges to scan all user profiles

Write-Host "[*] Scanning for compromised Injective SDK package..." -ForegroundColor Cyan

$MaliciousHashes = @(
    "103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
    "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"
)

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "[*] Scanning drive $Drive..." -ForegroundColor Gray
    
    # Scan for package-lock. files to find the package reference
    $PackageLockFiles = Get-ChildItem -Path $Drive -Recurse -Filter "package-lock." -ErrorAction SilentlyContinue
    
    foreach ($File in $PackageLockFiles) {
        $Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
        if ($Content -match "@injectivelabs/sdk-ts" -and $Content -match "1.20.21") {
            Write-Host "[!] FOUND MALICIOUS PACKAGE REFERENCE in: $($File.FullName)" -ForegroundColor Red
        }
    }

    # Scan for the actual file hashes in node_modules (slower)
    $NodeModules = Get-ChildItem -Path $Drive -Recurse -Filter "*.js" -ErrorAction SilentlyContinue | Where-Object { $_.DirectoryName -match "node_modules.*@injectivelabs" }
    
    foreach ($File in $NodeModules) {
        $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($MaliciousHashes -contains $Hash) {
            Write-Host "[!] FOUND MALICIOUS FILE HASH: $($File.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[*] Scan Complete." -ForegroundColor Green

Response Priorities

  • Immediate:

    • Block all network traffic to testnet.archival.chain.grpc-web.injective.network at the perimeter firewall and proxy.
    • Scan all build servers, CI/CD pipelines, and developer workstations for the file hashes provided above.
    • Audit package-lock. files for the dependency @injectivelabs/sdk-ts@1.20.21 and force downgrade to v1.20.20 or upgrade to a verified safe version (post-1.20.21).
  • 24 Hours:

    • If the malicious package was deployed in a production environment that handled keys, assume those keys are compromised. Initiate immediate wallet migration and key rotation procedures.
    • Review developer account logs for the Injective Labs repository to identify the initial vector of the account compromise (likely credential theft or token leak).
  • 1 Week:

    • Implement Software Bill of Materials (SBOM) generation for all build artifacts.
    • Enforce mandatory Multi-Factor Authentication (MFA) for all npm publish accounts and service accounts.
    • Integrate dependency scanning (e.g., Socket.dev, Snyk) into the pull-request process to detect future supply chain injections.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssupply-chain-attackinfostealerweb3-securitynpm-malwarecrypto-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.