A widely used software package for the Injective blockchain was compromised by hackers who inserted malicious code designed to steal private keys and seed phrases from users’ crypto wallets. The attack exploited a supply chain vulnerability, where legitimate developer tools are manipulated to deliver malware instead of targeting blockchain protocols directly.

Security researchers at Socket discovered that version 1.20.21 of the @injectivelabs/sdk-ts npm package, integral to building applications on Injective’s interoperable layer 1 blockchain, was altered through a breached developer GitHub account. This package, which has tens of thousands of weekly downloads, included code that intercepted wallet key-derivation functions, logged sensitive data, and sent it covertly to a server masquerading as part of the Injective network.

More alarmingly, the compromised package was linked as a dependency in 17 other Injective Labs npm packages, potentially exposing a far wider developer audience beyond those who installed the malware-laden software directly. Once active, the malicious code encoded stolen mnemonic phrases and private keys before transmitting them stealthily, raising significant security concerns for any wallet or app leveraging these libraries.

After Socket alerted the developers, the malware-laden version was quickly deprecated and removed from npm. Although over 300 downloads of the infected package occurred before containment, Injective’s CEO stated that no funds on the network appeared to be at risk. Nonetheless, users who relied on the affected package are advised to consider any keys or seed phrases processed via it as compromised and to replace them immediately.

This incident exemplifies a growing trend in crypto security breaches where threat actors exploit supply chain weaknesses in development platforms such as npm, GitHub, and Google repositories. Instead of attacking blockchain encryption or smart contracts directly, hackers increasingly compromise trusted tools essential for creating wallets, exchanges, and decentralized applications.

Injective’s total value locked has sharply declined in recent years, but the package compromise adds fresh security doubts for developers building on its ecosystem. The swift detection and remediation prevented broader damage, yet the incident underscores the critical need for enhanced safeguards around third-party software dependencies in crypto development environments.