Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics
@injectivelabs/sdk-ts@1.20.21 records private keys and mnemonics, enabling wallet compromise via 17 scoped packages pinned to the malicious version. Socket detected a malicious @injectivelabs/sdk-ts@1.20.21 release published to npm with fake telemetry functionality that exfiltrates wallet private keys and mnemonic phrases. The affected package is part of the Injective Labs TypeScript SDK and receives roughly 50,000 weekly downloads, making the incident significant for developers and…