WikiBit 2026-07-10 13:43Hackers compromised an Injective developer account and altered npm packages to collect wallet keys and recovery phrases.
A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found.
According to security firm Socket, version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has about 50,000 weekly downloads, was altered after a developers GitHub account was compromised. Suspicious commits began on June 8, and the malicious release was later pinned across 17 other packages under the Injective Labs npm scope.
The security firm said the code intercepted wallet key-generation functions, recorded private keys and recovery phrases, then encoded the data and sent it through fake telemetry to a web address made to resemble an Injective server.
“Any keys or mnemonics passed through affected packages should be treated as compromised,” Socket said, warning that applications may have been exposed even if they did not install the SDK directly.
Although the compromised developer detected the intrusion quickly and the malicious package version has been removed, Socket said the campaign was not yet fully contained.
Injective CEO Eric Chen said the affected npm releases had been deprecated and the issue was fixed. Chen added that no funds on the Injective network were at risk, while Socket did not report whether the malware resulted in stolen assets.
Developers become the target
Rather than attacking a blockchains cryptography or smart contracts, the operation targeted software that developers use to build wallets, exchanges and applications. The Security Alliance said in its second-quarter threat report that attackers have increasingly used platforms including GitHub, npm, and Google to distribute malware.
In some incidents, SEAL said, compromised machines have been used to push malicious code into a companys own GitHub repositories, allowing one breach to become a channel for further distribution. The report also cited more cross-platform malware packages combining infostealers, remote access trojans and backdoors, including a rise in macOS-targeted campaigns.
Axios npm releases were hit by a similar supply-chain attack in March, while the TrapDoor campaign found in May targeted developers working in crypto, DeFi, artificial intelligence and security. GitHub also disclosed unauthorised access to internal repositories on May 20 after an employee device was compromised.
Wallet compromises were the costliest crypto attack method in the first half of 2026, accounting for $444 million stolen across 33 cases, according to CertiK.
Injective, an interoperable layer 1 for DeFi applications, has seen its total value locked fall 88% from a mid-2024 peak of $71 million to $8.2 million, DefiLlama data shows. Earlier this year, community members approved IIP-617, accelerating reductions in new INJ issuance while retaining existing token burns.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
HSBC completes first tokenized structured product pilot for institutional investors
WikiBit 2026-07-10 16:00Paul Grewal Coinbase Transition and Legal Leadership Shift
WikiBit 2026-07-10 17:58Crypto defies equity weakness as altcoin optimism builds into the weekend
WikiBit 2026-07-10 20:10RealFi Launches Public Testnet for USDr Ahead of Mainnet Rollout
WikiBit 2026-07-10 18:13AI contracts, not bitcoin, now drive miner valuations, and Cipher and TeraWulf look cheap, says analyst
WikiBit 2026-07-10 18:13USDC issuer Circle wins final approval for US national trust bank charter
WikiBit 2026-07-10 20:00Ledger researchers disclose Tangem card flaw; Tangem says risk to everyday users is 'virtually non-existent'
WikiBit 2026-07-10 19:08Bitcoin returns to $64.3K with new three-week BTC price highs imminent
WikiBit 2026-07-10 18:00NEAR Price Prediction: Dead Money at $1.95 — But a $1.75 Flush or $2.14 SMA50 Reclaim Is Coming Fast
WikiBit 2026-07-10 19:00Compromised Injective SDK sends wallet keys through fake telemetry
WikiBit 2026-07-10 13:430.00