- Hackers compromised the @injectivelabs/sdk-ts npm package with Malware designed to steal crypto wallet private keys and seed phrases.
- The supply chain attack leveraged a compromised developer GitHub account to push malicious code through fake telemetry.
- Wallet compromises have become the most costly attack vector in 2026, with $444 million stolen across 33 incidents so far this year.
Security firm Socket discovered on Thursday that a widely used npm package with roughly 50,000 weekly downloads for building on the Injective blockchain was maliciously modified to steal wallet private keys and seed phrases. The large download volume makes the incident “significant for developers and applications that handle Injective wallet workflows,” Socket researchers said.
The software supply chain attack targets trusted developer tools rather than a blockchain’s cryptography or smart contracts directly. Version 1.20.21 of the @injectivelabs/sdk-ts package was altered through a compromised developer GitHub account, with suspicious commits beginning June 8.
Injective is an interoperable layer 1 designed for DeFi applications, though its total value locked has shrunk by 88% to $8.2 million from its $71 million peak in mid-2024, according to data from DefiLlama. The malicious release hooked wallet key-derivation functions, secretly recording private keys and mnemonics before exfiltrating them through fake telemetry.
The compromised data was encoded and sent to a web address resembling a legitimate Injective network server. Socket stated that any keys or mnemonics passed through affected packages should be treated as compromised.
Injective CEO Eric Chen said the issue is already fixed and affected versions on npm are deprecated. No funds on the network are at risk, he added, though Socket did not specify whether any funds were stolen.
The Security Alliance (SEAL) reported that attackers are increasingly using legitimate platforms like GitHub, npm and Google to deliver payloads. Wallet compromises were the most costly attack vector in the first half of 2026, with $444 million stolen across 33 incidents, CertiK reported.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Musk Admits He Was Wrong About Anthropic, Calls It AI Leader
- Coinbase CLO Paul Grewal steps down, names successors
- npm 12 disables install scripts, phases out 2FA bypass tokens
- Ethereum Foundation deploys AI agents to hunt for network bugs
- Ethereum May Be Forming Short-Term Bottom, Says Ex-BofA Strategist
