Injective's npm got supply-chain-checked — 300 devs downloaded the receipts 🔑
A widely used Injective software package was compromised in a supply chain attack designed to siphon crypto wallet private keys, with the malicious version downloaded more than 300 times before it was removed. Security firm Socket disclosed the incident on Thursday, warning that the package's roughly 50,000 weekly downloads made it "significant for developers and applications that handle Injective wallet workflows."
Version 1.20.21 of the @injectivelabs/sdk-ts npm package was modified through a compromised developer GitHub account, with suspicious commits beginning June 8, according to Socket. The malicious release was also pinned across 17 other packages in the Injective Labs npm scope, "exposing users who may not have installed the SDK [software development kit] directly." Socket said the malware "hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them through fake telemetry."
The malicious code hooked into routine wallet key-generation routines, secretly copying seed phrases and private keys when developers' apps called those functions. The compromised data was then encoded and sent to a web address designed to mimic a legitimate Injective network server. Socket warned that "any keys or mnemonics passed through affected packages should be treated as compromised" and confirmed the package was downloaded 310 times during the exposure window.
The developer whose account was infiltrated quickly detected the compromise, but Socket noted that "the campaign itself isn't yet fully contained." Injective CEO Eric Chen said, "it's already fixed, and the affected versions on npm are already deprecated," adding that no funds on the network are at risk. Socket did not specify whether any funds were stolen in the incident, and the malicious code has since been removed from the registry.
The supply chain tactic — targeting trusted developer tools rather than blockchain cryptography or smart contracts directly — mirrors findings in the Security Alliance's second-quarter threat report, which found attackers increasingly using legitimate platforms such as GitHub, npm and Google to deliver payloads. Injective is an interoperable layer-1 blockchain built for DeFi applications; its total value locked has fallen roughly 88% from a peak of $71 million in mid-2024 to $8.2 million currently, according to DefiLlama.
Mentioned Coins
Share Article
Quick Info
Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.
See our Terms of Service, Privacy Policy, and Editorial Policy.