Someone almost pulled off a very clean heist on July 8, 2026. Attackers compromised a trusted GitHub maintainer on the Injective project and pushed a poisoned version of the @injectivelabs/sdk-ts TypeScript SDK directly to the master branch, no code review required. The malicious payload went live at 20:59 UTC and was gone by 21:16 UTC. Seventeen minutes.

Security researchers from StepSecurity and Socket identified the attack and flagged it. A revert commit restored clean package versions within roughly 49 minutes of the initial malicious push, according to research findings. No widespread theft has been confirmed, but the window was real, and the method was sophisticated.

What the attackers actually did

The compromised account belonged to a maintainer identified as thomasRalee, operating under the email [email protected]. Gaining access to that account gave the attacker direct push access to the master branch without a traditional review process.

From there, the attacker pushed malicious commits between 20:24 and 20:54 UTC, setting up a backdoor in version 1.20.21 of the SDK. The tainted version was then propagated across 18 associated npm packages, each one pinned to that exact poisoned release.