Not-so-anonymous telemetry: The @injectivelabs/sdk-ts backdoor
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys.
Read the full articleYou might also wanna read
Compromised @injectivelabs/sdk-ts exfiltrates wallet keys through fake ...
A malicious release of @injectivelabs/sdk-ts hid a wallet-key stealer inside code labeled as usage telemetry, then spread it across 17 more
Compromised @injectivelabs/sdk-ts exfiltrates wallet... - daily.dev
5 hours ago ... A malicious version of the npm package @injectivelabs/sdk-ts (v1.20.21) was published on June 8, 2026, containing code that
Injective SDK on npm infected with cryptocurrency wallet stealer
Hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on the Node Package Manage
GitLost: GitHub’s AI Agent Tricked Into Leaking Private Repository Data
Noma Labs details GitLost, a prompt injection flaw that made GitHub’s AI agent expose private repo data through a crafted public issue and g
Critical prompt injection flaw in GitHub Agentic Workflows allows private repo data leaks
Per usual, there's no fix – or even any documentation – for GitLost

GitLost shows how a public issue can make GitHub's AI agent leak private repo data
Noma Labs says a prompt injection in GitHub Agentic Workflows crossed from public issue text into private repository content.

Comments
Sign in to join the conversation.
No comments yet. Be the first.