npm

@injectivelabs/sdk-ts @1.20.21

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC

Malicious

OSV ID

MAL-2026-10165

Ecosystem

npm

Summary

The wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https://<host>/. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.

Source: amazon-inspector (dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.