Injective SDK's npm compromise, and the OIDC that let it
@injectivelabs/sdk-ts@1.20.21 shipped a wallet-key exfiltration routine for two days. A maintainer account walked it through the OIDC publisher pipeline.
Another npm package with a wallet-key exfiltrator in it, and another perfectly
good maintainer account holding the pen. The version this time was
@injectivelabs/sdk-ts@1.20.21,
published on July 8 and available to install for roughly two days before Socket
and StepSecurity flagged it.
The payload is worth pausing on, briefly. A function called
trackKeyDerivation() piggybacked on the SDK’s legitimate key-derivation flows,
batched anything it saw over two-second windows, and beaconed the batches over
HTTPS to a domain crafted to look like part of Injective’s own testnet
infrastructure (testnet.archival.chain.grpc-web.injective[.]network). No
install-time hooks. Nothing to catch at npm install unless you were reading the
actual source. It only fired when a downstream developer used the library —
which is the version of this pattern that gets past most of the tooling built to
catch the older, cruder version.
Seventeen adjacent @injectivelabs packages pinned to 1.20.21 got dragged along
with it — the private-keys helper, the EVM helper, the Trezor and Ledger
adapters, the Cosmostation adapter. Anything a wallet integration was likely to
have imported.
The interesting part, and the part that keeps recurring, is how it got into the
registry in the first place. The commits were authored by an established
maintainer — thomasRalee, per Socket — and the push rode through the repo’s
OIDC publisher pipeline. The pipeline is doing its job: it is proving that a
signed release came from the project’s trusted publisher chain, which was the
whole point of adopting it. What it is not doing, and cannot do, is prove that
the human account authorizing that chain is being driven by the human it belongs
to. Every time a supply-chain compromise of this shape shows up — and the last
one wasn’t very long ago — the trust anchor has quietly moved one link further
back and stayed exactly as brittle.
Rotate anything that touched the poisoned SDK. Injective has published 1.20.23; treat any private key or mnemonic that passed through 1.20.21 as burned and move funds off it. The Socket writeup has the indicators.
Same mistake, different decade — but at least the registry cleanup was fast this time.
Found this useful? Share it.


