Injective Labs has fallen victim to a significant security breach, resulting in the compromise of its GitHub repository. Unidentified threat actors exploited this breach to publish a harmful npm package, targeting the theft of cryptocurrency wallet private keys and mnemonic seed phrases. The malicious package, identified as @injectivelabs/[email protected], was released on July 8, 2026, and disguised its true intent under a fake telemetry feature. This feature was engineered to exfiltrate sensitive data from cryptocurrency wallets without detection.

The breach involved a GitHub account of a known developer with a history of contributions to the project, which was used to introduce the malicious code. The attack extended beyond a single package, with the harmful version affecting 17 additional packages in the @injectivelabs scope, impacting users indirectly through transitive dependencies. The malware was designed to be unobtrusive, avoiding detection by not utilizing lifecycle scripts during installation. Instead, it modified legitimate functions to capture sensitive information under the guise of collecting anonymized data for performance improvements.

Once triggered, the malware could capture and send sensitive information needed to generate private keys to an external server. This was done through a queue system that minimized outbound requests, batching data into a single HTTPS POST request. The breach was facilitated through the repository's trusted-publisher pipeline, with malicious commits appearing under the identity of a trusted maintainer, Thomas Ralee.

Users who have installed the compromised version are urged to update to version 1.20.23, which is clean and secure. It is essential to consider any private key or mnemonic phrase processed by the compromised package as compromised and to rotate them promptly. Additionally, users should verify their dependencies for any transitive risks.