Home > Quick > Body

Socket Finds Injective npm Package Compromised to Steal Wallet Private Keys

clock
2026-07-10 03:23:51
A widely used Injective software package was compromised in a supply chain attack that inserted malware designed to steal crypto wallet private keys and seed phrases, raising concerns about attackers abusing trusted developer tools to distribute malicious code. According to Cointelegraph, security firm Socket said on Thursday it found a popular npm package used for building on the Injective blockchain—downloaded about 50,000 times weekly—had been maliciously modified, an incident the firm called significant for developers and applications handling Injective wallet workflows. Socket said the malicious code has since been removed, but warned that any keys or mnemonics processed through affected packages should be treated as compromised. The attack reflects a growing vector in which hackers avoid targeting blockchain cryptography or smart contracts directly and instead compromise legitimate tooling used to build wallets, exchanges, and applications.

Socket said version 1.20.21 of the @injectivelabs/sdk-ts npm package was altered via a compromised developer GitHub account, with suspicious commits beginning June 8. The firm added that the affected SDK version was pinned across 17 other packages in the Injective Labs npm scope, potentially exposing users who did not install the SDK directly. Socket said the malicious release hooked wallet key-derivation functions, recorded private keys and mnemonics, and exfiltrated them through fake telemetry, encoding the data and sending it to a web address resembling a legitimate Injective network server. Socket reported the compromised package was downloaded more than 300 times, including 310 downloads cited in its reporting, and said the campaign was not yet fully contained. Injective CEO Eric Chen said the issue was fixed and the affected npm versions were deprecated, adding that no funds on the network were at risk; Socket did not specify whether any funds were stolen.

The incident comes as security groups report broader misuse of mainstream platforms to deliver malware. The Security Alliance (SEAL) said in its second-quarter threat report that attackers are increasingly using legitimate services such as GitHub, npm, and Google to distribute payloads, including cases where compromised systems push malicious code into a company’s own GitHub repositories. SEAL also said malware has become more comprehensive, citing cross-platform payloads and a rise in macOS-specific campaigns that combine infostealers, remote access trojans, and backdoor capabilities. Cointelegraph also noted other recent supply chain and platform-related incidents, including an attack on Axios npm releases in March, the TrapDoor malware campaign discovered in May targeting crypto, DeFi, AI, and security developers, and GitHub’s May 20 report of unauthorized access to internal repositories after an employee device compromise. Separately, CertiK reported Monday that wallet compromises were the most costly attack vector in the first half of 2026, with $444 million stolen across 33 incidents.
Disclaimer:
1. The information provided does not constitute investment advice. Investors should make independent decisions and bear all risks themselves.
2. The copyright of this content belongs to the original author. The views expressed herein are solely those of the author and do not represent the stance or position of this website.
New Tab Page - Desk3 | Plugin
Stay ahead of the game in the cryptocurrency space.