ctipilot.ch

@injectivelabs/sdk-ts npm supply-chain compromise (2026)

incident · incident:injectivelabs-npm-sdk-ts-supply-chain-2026 single-source

GitHub-account-takeover-driven npm supply-chain compromise (2026-06-08, contained within ~50 minutes) of @injectivelabs/sdk-ts and 17 dependent scope packages, injecting a runtime-triggered wallet-key stealer with no install-time hook that hooks the SDK's key-derivation functions and exfiltrates disguised as normal gRPC-web API traffic; first public technical teardown by Aikido Security (2026-07-09).

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

Affected products
@injectivelabs/sdk-ts (npm)

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×1

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · ATT&CK page ↗

Credential Access TA0006

T1056.004Input Capture: Credential API Hooking×1

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

Evidence: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · ATT&CK page ↗

Collection TA0009

T1056.004Input Capture: Credential API Hooking×1

Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials. Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials.

Evidence: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · ATT&CK page ↗

Command and Control TA0011

T1132.001Data Encoding: Standard Encoding×1

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.

Evidence: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · ATT&CK page ↗

Exfiltration TA0010

T1041Exfiltration Over C2 Channel×1

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Evidence: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · ATT&CK page ↗

Story timeline

  1. 2026-07-10npm supply-chain payload hides as runtime 'telemetry' with no install hook — defeating install-time dependency scanners
    researchAikido: compromised @injectivelabs npm package hooks key-derivation at runtime, carries no postinstall script, and exfiltrates disguised as normal SDK traffic

Where this entity is cited

  • research1

Source distribution

  • aikido.dev1 (100%)

Entries about @injectivelabs/sdk-ts npm supply-chain compromise (2026) (1)

2026-07-10 · view entry permalink →

NOTABLENATOB2

npm supply-chain payload hides as runtime 'telemetry' with no install hook — defeating install-time dependency scanners

Aikido Security published (2026-07-09) a teardown of a compromised npm release of @injectivelabs/sdk-ts — an SDK pulling ~50,000 weekly downloads — that is notable less for its payload's purpose than for how it hid (Aikido Security, 2026-07-09). Introduced via what Aikido assesses as a GitHub account takeover (commits from an account with an established history), the malicious version was live for under an hour on 2026-06-08 before the maintainer reverted it, but in that window the attacker also republished the same version number across 17 other packages in the scope, each pinning the poisoned SDK — so any project depending on one of them resolved the stealer transitively without naming it directly.

The payload runs no install-time script. Diffed against the clean build, the artifacts differ by one injected block and two one-line hooks placed inside the SDK's own key-derivation entry points; each hook "fires before the real derivation runs, so the secret is captured on every legitimate call" during normal application use (Aikido, 2026-07-09). Because "the trigger is key derivation at runtime and not a lifecycle script, install-time scanners and sandboxes that only watch postinstall see a clean package" — the single most important detail for defenders, since it defeats the exact control (install-hook / postinstall inspection) that most software-composition-analysis programmes lean on. The exfiltration was built to blend in: the destination host was stored as an array of character codes and reassembled at runtime to defeat plaintext string search, the captured material was base64-batched and sent inside an HTTP request header (not the body) with a content type matching the SDK's own gRPC-web API calls, and every failure path swallowed errors silently. The injected block was even documented in its own comment as "anonymized usage metrics for SDK optimization".

Because the trigger is key derivation at runtime and not a lifecycle script, install-time scanners and sandboxes that only watch postinstall see a clean package.

Each hook fires before the real derivation runs, so the secret is captured on every legitimate call

The malicious `1.20.21`was published at 22:59 GMT+2 on June 8, 2026, the maintainer reverted the change at 23:18, and a clean version was published at 23:48.

Aikido Security 2026-07-09
research10 Jul 12:53Zsingle-sourceOpen finding ↗