WikiBit 2026-07-11 04:00Socket found a compromised Injective npm package stealing wallet keys amid rising crypto supply chain attacks.
Hackers compromised a widely used Injective software package in a supply chain attack with malware designed to steal crypto wallet private keys, adding to a growing attack vector involving attackers using legitimate platforms to deliver malicious payloads.
Security firm Socket discovered on Thursday that a popular NPM (node package manager) with around 50,000 weekly downloads used for building on the Injective blockchain was maliciously modified to steal wallet private keys and seed phrases.
The large number of downloads makes the incident “significant for developers and applications that handle Injective wallet workflows,” Socket researchers said. The malicious code has since been removed.
The software supply chain attack is a relatively new attack vector in which hackers don‘t target a blockchain’s cryptography or smart contracts directly, but instead compromise trusted developer tools used to build wallets, exchanges and apps.
Injective is an interoperable layer 1 designed for DeFi applications. Its usage has dwindled over the past two years, with total value locked shrinking by 88% to current levels of $8.2 million from its $71 million peak in mid-2024, according to DefiLlama.
Secretly copying private keys and phrases
Version 1.20.21 of the @injectivelabs/sdk-ts NPM package was modified through a compromised developer GitHub account, with suspicious commits beginning June 8. It was also pinned across 17 other packages in the Injective Labs NPM scope, “exposing users who may not have installed the SDK [software development kit] directly,” Socket said.
“The malicious release hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them through fake telemetry,” Socket explained.
The malicious code hooked into normal functions used to generate wallet keys, and whenever a developers app used these functions, it secretly copied the seed phrase or private key. The compromised data was then encoded and sent to a web address that looked like a legitimate Injective network server.
“Any keys or mnemonics passed through affected packages should be treated as compromised,” Socket added.
Related: ‘TrapDoor’ malware targets crypto dev tools in supply chain attack
Socket reported that the developer whose account was infiltrated quickly detected the compromise, but the malware had been downloaded more than 300 times, and “the campaign itself isnt yet fully contained.”
Injective CEO Eric Chen said, “its already fixed, and the affected versions on npm are already deprecated.” No funds on the network are at risk, he added, and Socket did not specify whether any funds were stolen in the incident.
Wallet compromises most costly this year
The Security Alliance (SEAL) said in its second-quarter threat report that attackers are increasingly using legitimate platforms like GitHub, NPM and Google to deliver payloads.
“In some cases, compromised systems are being used to push malicious code directly into a companys own GitHub repositories, turning a single compromise into a distribution channel for the next one.”
SEAL added that the malware itself has also gotten more comprehensive, “with cross-platform payloads, including a rise in macOS-specific campaigns, that combine infostealers, RATs (remote access trojans) and backdoor capabilities in a single package.”
A similar supply chain attack hit Axios npm releases in March, while a malware campaign called TrapDoor was discovered in May targeting crypto, DeFi, AI and security developers.
GitHub itself was exploited on May 20 when it reported unauthorized access to its internal repositories following the compromise of an employees device.
Wallet compromises were the most costly attack vector in the first half of 2026, with $444 million stolen across 33 incidents, CertiK reported Monday.
Disclaimer:
The views in this article only represent the author's personal views, and do not constitute investment advice on this platform. This platform does not guarantee the accuracy, completeness and timeliness of the information in the article, and will not be liable for any loss caused by the use of or reliance on the information in the article.
Crypto bounces back from the brink as altcoin optimism returns despite pockets of weakness
WikiBit 2026-07-06 19:32Dormant $1.9M Bitcoin tied to New York lawsuit moves after nearly 15 years
WikiBit 2026-07-06 17:36Gold and Silver Tighten Ratio to 66.9 as Both Metals Roar Higher
WikiBit 2026-07-05 02:30US Treasury Opens 'Trump Accounts' to Stock Donations as 6 Million Families Enroll
WikiBit 2026-07-05 06:05DeFi protocol Summer Finance exploited for $6 million; analysts point to flash loan attack
WikiBit 2026-07-06 16:49Vitalik Buterin shares top priorities for new 'Lean Ethereum' strawmap
WikiBit 2026-07-06 21:00Belgian regulator flags six unauthorized crypto providers after MiCA deadline
WikiBit 2026-07-06 21:00I am contemplating selling some of my bitcoin for gold, veteran trader Peter Brandt says
WikiBit 2026-07-06 18:41Trump's crypto token buyers are down $3.8 billion, blockchain data shows
WikiBit 2026-07-06 17:38How ethical hackers with just a $3,000 server found a flaw that could've put $70 billion in crypto at risk
WikiBit 2026-07-06 17:380.00