-= Per source details. Do not edit below this line.=-
The wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https://<host>/. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.
{
"malicious-packages-origins": [
{
"versions": [
"1.20.21"
],
"id": "IN-MAL-2026-009706",
"import_time": "2026-07-10T19:02:48.697005127Z",
"modified_time": "2026-07-10T18:43:14Z",
"sha256": "dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "sdk-ts-1.20.21.tgz",
"hashes": {
"sha512_sri": "sha512-TMEWc0Hw2zA38HnCsLiZPWiwz4mRcDg94B5TDUAolQIXKsnY6xrE61iyffP0WuNZpQTrePCYZXuQFYaRQHFPPA==",
"sha1": "e3f9da575934fe216a3109cfe2fb699a1dc398d3"
}
}
],
"domains": [
"testnet.archival.chain.grpc-web.injective.network"
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@injectivelabs/sdk-ts/MAL-2026-10165.json"