MAL-2026-10165

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@injectivelabs/sdk-ts/MAL-2026-10165.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10165
Published
2026-07-10T18:43:14Z
Modified
2026-07-10T19:16:58.520132005Z
Summary
Malicious code in @injectivelabs/sdk-ts (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030)

The wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https://<host>/. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.20.21"
            ],
            "id": "IN-MAL-2026-009706",
            "import_time": "2026-07-10T19:02:48.697005127Z",
            "modified_time": "2026-07-10T18:43:14Z",
            "sha256": "dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @injectivelabs/sdk-ts

Package

Name
@injectivelabs/sdk-ts
View open source insights on deps.dev
Purl
pkg:npm/%40injectivelabs/sdk-ts

Affected ranges

Affected versions

1.*
1.20.21

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "sdk-ts-1.20.21.tgz",
            "hashes": {
                "sha512_sri": "sha512-TMEWc0Hw2zA38HnCsLiZPWiwz4mRcDg94B5TDUAolQIXKsnY6xrE61iyffP0WuNZpQTrePCYZXuQFYaRQHFPPA==",
                "sha1": "e3f9da575934fe216a3109cfe2fb699a1dc398d3"
            }
        }
    ],
    "domains": [
        "testnet.archival.chain.grpc-web.injective.network"
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@injectivelabs/sdk-ts/MAL-2026-10165.json"