{"id":"MAL-2026-10165","summary":"Malicious code in @injectivelabs/sdk-ts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030)\nThe wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https://\u003chost\u003e/. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.\n","modified":"2026-07-10T19:16:58.520132005Z","published":"2026-07-10T18:43:14Z","database_specific":{"malicious-packages-origins":[{"versions":["1.20.21"],"sha256":"dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030","import_time":"2026-07-10T19:02:48.697005127Z","modified_time":"2026-07-10T18:43:14Z","id":"IN-MAL-2026-009706","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@injectivelabs/sdk-ts/v/1.20.21"}],"affected":[{"package":{"name":"@injectivelabs/sdk-ts","ecosystem":"npm","purl":"pkg:npm/%40injectivelabs/sdk-ts"},"versions":["1.20.21"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@injectivelabs/sdk-ts/MAL-2026-10165.json","indicators":{"package_integrity":[{"filename":"sdk-ts-1.20.21.tgz","hashes":{"sha1":"e3f9da575934fe216a3109cfe2fb699a1dc398d3","sha512_sri":"sha512-TMEWc0Hw2zA38HnCsLiZPWiwz4mRcDg94B5TDUAolQIXKsnY6xrE61iyffP0WuNZpQTrePCYZXuQFYaRQHFPPA=="}}],"domains":["testnet.archival.chain.grpc-web.injective.network"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}