VDB
KO

MAL-2026-10165

Malicious code in @injectivelabs/sdk-ts (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030) The wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https://<host>/. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @injectivelabs/sdk-ts

No fixed version published yet for @injectivelabs/sdk-ts (npm). Pin to a known-safe version or switch to an alternative.

References