Researchers report that hackers compromise the Injective Labs SDK project and use that access to publish a malicious package on npm. According to multiple reports, the attackers first breach the project’s GitHub repository, then publish a tainted dependency under the Injective ecosystem. The malicious code is described as a wallet stealer that attempts to capture sensitive credentials from users’ environments, including cryptocurrency wallet private keys and mnemonic seed phrases. Separate coverage also characterizes the activity as an attempt to backdoor the Injective-related npm package to obtain wallet information during normal wallet workflows. The affected packages and the scope of impact are tied to developers and applications that integrate Injective wallet functionality through the SDK. The reports emphasize that developers who maintain Node.js dependencies for Injective-related tooling should review their installed versions, check for the presence of the malicious package, and rotate any exposed credentials if compromise is confirmed. The incidents highlight how supply-chain breaches of widely used developer libraries can be used to target downstream wallets and applications that handle private key material.