Skip to content

Add malicious package report for @injectivelabs/sdk-ts@1.20.21#1362

Open
r-bedekar wants to merge 1 commit into
ossf:mainfrom
r-bedekar:report-injectivelabs-sdk-ts-1.20.21
Open

Add malicious package report for @injectivelabs/sdk-ts@1.20.21#1362
r-bedekar wants to merge 1 commit into
ossf:mainfrom
r-bedekar:report-injectivelabs-sdk-ts-1.20.21

Conversation

@r-bedekar

Copy link
Copy Markdown

Malicious @injectivelabs/sdk-ts@1.20.21; a wallet-credential stealer disguised as "key derivation telemetry" that exfiltrates BIP-39 mnemonics and hex private keys (base64, POSTed as fake application/grpc-web+proto with the secret in the X-Request-Id header). Introduced in commit 5486f13e799d, reverted by the vendor as "revert: exfiltration telemetry" (7c4b1a092), fixed in 1.20.23. All @injectivelabs/* packages at 1.20.21 were deprecated as compromised (they depend on the malicious sdk-ts). Ref: InjectiveLabs/injective-ts#697.

Signed-off-by: r-bedekar <rbedekar@zeroinsec.com>
@r-bedekar r-bedekar force-pushed the report-injectivelabs-sdk-ts-1.20.21 branch from cf88841 to e99dcc4 Compare July 9, 2026 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant