HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
Story archiveAll categories
← All Stories

Hackers compromised Injective SDK npm package to steal wallet keys

Created at 10 Jul · 3:10 AM1 source↑ Market-relevant
IN SHORT

Hackers modified a popular Injective npm package to steal crypto wallet private keys and seed phrases. The malicious code, present in over 300 downloads, has been removed, and Injective CEO Eric Chen stated no funds on the network are at risk.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

50,000weekly downloads for the npm package
1.20.21version of the compromised npm package
June 8date suspicious commits began
17other packages pinned by the compromised package
300+times the malware was downloaded
$8.2 millioncurrent total value locked on Injective
$71 millionpeak total value locked on Injective

Who's Involved

Socket
security firm that discovered the attack
Injective Labs
developer of the compromised npm package
Eric Chen
CEO of Injective
SEAL
Security Alliance, reported on attack trends

↳ Why This Matters

This incident underscores the significant risks associated with software supply chain attacks in the crypto space, potentially compromising user funds and eroding trust in developer tools and platforms.

Key facts

  • A supply chain attack targeted the @injectivelabs/sdk-ts npm package, downloaded over 300 times.
  • The malware was designed to steal crypto wallet private keys and seed phrases.
  • The compromise occurred through a developer's infiltrated GitHub account.
  • The malicious code has been removed, and affected versions are deprecated.
  • Injective CEO stated no funds on the network are at risk.

Hackers attempted a supply chain attack by compromising a widely used Injective npm package, aiming to steal crypto wallet private keys and seed phrases. Security firm Socket discovered that version 1.20.21 of the @injectivelabs/sdk-ts package, downloaded over 300 times, was modified through a compromised developer GitHub account. The malicious code hooked into wallet key-derivation functions, secretly copying sensitive information and exfiltrating it to a fake server. Injective CEO Eric Chen confirmed the issue has been fixed, affected versions deprecated, and stated that no funds on the network are at risk. This incident highlights the growing threat of software supply chain attacks, where attackers exploit trusted developer tools to deliver malicious payloads.

Frequently asked questions

Version 1.20.21 of the @injectivelabs/sdk-ts npm package, used for building on the Injective blockchain, was compromised.

The malicious code hooked into functions used to generate wallet keys, secretly copying private keys and seed phrases before sending them to a fake server.

Injective CEO Eric Chen stated that no funds on the network are at risk, and Socket did not specify if any funds were stolen.

It's an attack where hackers compromise trusted developer tools or platforms to deliver malicious code, rather than targeting blockchain cryptography directly.

What Happens Next

01Developers are advised to treat any keys or mnemonics passed through affected packages as compromised.
02Users should ensure they have updated to non-compromised versions of the Injective SDK.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Hackers compromised the @injectivelabs/sdk-ts npm package, used for Injective blockchain development.
Malicious code was introduced via a compromised developer GitHub account, beginning June 8.
The malware hooked wallet key-derivation functions to steal private keys and seed phrases.
The compromised data was encoded and sent to a fake Injective network server.
The malicious code was downloaded over 300 times before detection.
Injective CEO Eric Chen confirmed the issue is fixed and affected versions are deprecated.
No funds on the Injective network are reported to be at risk.

Sources

T1
Hackers tried to backdoor Injective npm package to steal wallet keys The incident is significant for developers and applications that handle Injective wallet workflows, Socket researchers said.Cointelegraph

Related Stories

AI accelerates crypto audit risks, researchers warn
9 Jul · 5:55 AM
JPMorgan: Private Blockchains, Not MSTR, Threaten Bitcoin
9 Jul · 8:40 PM
Trader loses $1M in Ethereum phishing token approval scam
9 Jul · 6:06 AM
Mantle Migrates $2.5B Super Portal from LayerZero to Chainlink CCIP
9 Jul · 12:06 PM
Hong Kong regulator orders new anti-phishing measures for crypto platforms
9 Jul · 1:06 PM