Intelligence confirms an active supply chain attack targeting the blockchain development sector. An adversary successfully compromised a developer account associated with the Injective Labs TypeScript SDK, publishing a malicious version (1.20.21) to the official npm registry on June 8, 2026.
The malware is designed to act as an infostealer, specifically hooking into key generation functions within the SDK. Its primary objective is the theft of cryptocurrency assets by intercepting and exfiltrating private wallet keys and mnemonic phrases to an attacker-controlled infrastructure masquerading as a legitimate Injective testnet endpoint. This attack vector is particularly insidious as it inherits the trust of the legitimate package, allowing it to bypass standard dependency checks.
Threat Actor / Malware Profile
- Threat Actor: Unknown (Financially Motivated)
- Distribution Method: Software Supply Chain (Compromised Developer Credentials / Repo Poisoning)
- Payload Behavior: The malicious code in
@injectivelabs/sdk-tsv1.20.21 functions as a runtime hook. It intercepts calls related to cryptographic key generation and wallet creation within the host application. - C2 Communication: Exfiltration occurs via HTTPS POST requests to
testnet.archival.chain.grpc-web.injective.network. The domain mimics the legitimate infrastructure of the Injective network to blend in with normal traffic. - Persistence: Persistence is achieved through the dependency itself; any application running the compromised package will execute the data theft logic during runtime operations involving wallet generation or access.
- Anti-Analysis: By embedding within a widely used, legitimate library, the malware avoids signature-based detection and leverages the reputation of the npm registry.
IOC Analysis
The provided indicators allow for precise detection of this campaign:
- File Hashes (SHA256): Two specific hashes correspond to the tainted package files. SOC teams should utilize EDR solutions to scan
node_modulesdirectories for these specific artifacts. - Network Indicators (URL/Hostname): The domain
testnet.archival.chain.grpc-web.injective.networkis the exfiltration sink. While similar to legitimate Injective infrastructure, specific DNS filtering and firewall rules should be applied to block access to this specific endpoint or alert on outbound connections from build agents/developer workstations.
SOC teams should operationalize these by uploading hashes to EDR allowlists/denylists and creating block rules for the hostname at the proxy/firewall layer.
Detection Engineering
title: Suspicious Network Connection to Injective SDK Exfil Domain
id: 9d2a1a3b-5c7d-4f8e-9a1b-2c3d4e5f6a7b
description: Detects outbound connections from Node.js processes to the known malicious exfiltration domain associated with the compromised Injective SDK.
status: experimental
date: 2026/07/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/612345678
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\node.exe'
DestinationHostname|contains: 'testnet.archival.chain.grpc-web.injective.network'
condition: selection
falsepositives:
- Legitimate use of Injective testnet (unlikely for production workloads)
level: high
tags:
- attack.credential_access
- attack.exfiltration
- supply_chain
---
title: Malicious Injective SDK Package File Creation
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects the presence of the malicious file hashes associated with the compromised @injectivelabs/sdk-ts v1.20.21 package.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
category: file_event
product: windows
detection:
selection_hash:
Hashes|contains:
- '103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0'
- '9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9'
selection_path:
TargetFilename|contains: '\node_modules\\@injectivelabs\\sdk-ts\\'
condition: all of selection_*
falsepositives:
- None (High confidence IOCs)
level: critical
tags:
- attack.resource_development
- attack.t1195
---
title: Installation of Compromised Injective SDK via NPM
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects the installation of the specific malicious version 1.20.21 of the @injectivelabs/sdk-ts package using npm.
status: experimental
date: 2026/07/11
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\npm.cmd'
- '\npm.exe'
- '\npx.cmd'
- '\npx.exe'
selection_cli:
CommandLine|contains: '@injectivelabs/sdk-ts'
selection_version:
CommandLine|contains: '1.20.21'
condition: all of selection_*
falsepositives:
- Developers intentionally testing this version (unlikely given severity)
level: high
tags:
- attack.supply_chain
kql// KQL Hunt for Exfiltration Domain
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "injective.network"
| where RemoteUrl has "testnet.archival"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemotePort
| extend FullUrl = strcat("https://", RemoteUrl)
// KQL Hunt for Malicious File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0", "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
powershell# PowerShell IOC Hunt Script for Malicious NPM Package
# Requires administrative privileges to scan all user profiles
Write-Host "[*] Scanning for compromised Injective SDK package..." -ForegroundColor Cyan
$MaliciousHashes = @(
"103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
"9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"
)
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
Write-Host "[*] Scanning drive $Drive..." -ForegroundColor Gray
# Scan for package-lock. files to find the package reference
$PackageLockFiles = Get-ChildItem -Path $Drive -Recurse -Filter "package-lock." -ErrorAction SilentlyContinue
foreach ($File in $PackageLockFiles) {
$Content = Get-Content $File.FullName -Raw -ErrorAction SilentlyContinue
if ($Content -match "@injectivelabs/sdk-ts" -and $Content -match "1.20.21") {
Write-Host "[!] FOUND MALICIOUS PACKAGE REFERENCE in: $($File.FullName)" -ForegroundColor Red
}
}
# Scan for the actual file hashes in node_modules (slower)
$NodeModules = Get-ChildItem -Path $Drive -Recurse -Filter "*.js" -ErrorAction SilentlyContinue | Where-Object { $_.DirectoryName -match "node_modules.*@injectivelabs" }
foreach ($File in $NodeModules) {
$Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $Hash) {
Write-Host "[!] FOUND MALICIOUS FILE HASH: $($File.FullName)" -ForegroundColor Red
}
}
}
Write-Host "[*] Scan Complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block all network traffic to
testnet.archival.chain.grpc-web.injective.networkat the perimeter firewall and proxy. - Scan all build servers, CI/CD pipelines, and developer workstations for the file hashes provided above.
- Audit
package-lock.files for the dependency@injectivelabs/sdk-ts@1.20.21and force downgrade tov1.20.20or upgrade to a verified safe version (post-1.20.21).
- Block all network traffic to
-
24 Hours:
- If the malicious package was deployed in a production environment that handled keys, assume those keys are compromised. Initiate immediate wallet migration and key rotation procedures.
- Review developer account logs for the Injective Labs repository to identify the initial vector of the account compromise (likely credential theft or token leak).
-
1 Week:
- Implement Software Bill of Materials (SBOM) generation for all build artifacts.
- Enforce mandatory Multi-Factor Authentication (MFA) for all npm publish accounts and service accounts.
- Integrate dependency scanning (e.g., Socket.dev, Snyk) into the pull-request process to detect future supply chain injections.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.