July 10, 2026 ChainGPT

Trojanized Injective SDK exfiltrated wallet keys via fake telemetry — npm supply‑chain attack

Trojanized Injective SDK exfiltrated wallet keys via fake telemetry — npm supply‑chain attack
Headline: Malicious Injective SDK update exfiltrated wallet keys via fake “telemetry” — security firm flags supply-chain attack A trojanized Injective developer package secretly harvested private keys and seed phrases after a malicious npm release was published, security firm Socket reported — forcing a rapid cleanup and raising fresh alarms about developer-targeted supply‑chain attacks. What happened - Socket says version 1.20.21 of the @injectivelabs/sdk-ts npm package was modified after a contributor’s GitHub account was compromised. The package — which sees roughly 50,000 weekly downloads — was altered with suspicious commits that began on June 8. - The malicious release was then pinned across 17 other packages in the Injective Labs npm scope and was downloaded more than 300 times before detection. - The injected code hooked into wallet key‑generation functions, captured private keys and recovery phrases, encoded the data, and transmitted it via fake telemetry to a web address crafted to look like an Injective server. Risks and immediate response - Socket warned that “any keys or mnemonics passed through affected packages should be treated as compromised,” noting that downstream applications could be exposed even if they didn’t install the SDK directly. - The compromised developer reportedly detected the intrusion quickly and the malicious package version was removed. Injective CEO Eric Chen said the affected npm releases were deprecated and the problem fixed, adding that no funds on the Injective network were at risk. - Socket, however, cautioned the campaign was not yet fully contained and did not report whether the malware led to stolen assets. Why this matters - This incident didn’t attack cryptography or smart contracts directly; it targeted the developer toolchain — the libraries builders use to create wallets, exchanges and DeFi apps — making it particularly dangerous and broad in potential impact. - Security groups have been tracking a rise in attacker activity that leverages popular platforms such as GitHub, npm and Google to distribute malware. The Security Alliance’s Q2 threat report highlighted that compromised developer machines or accounts are increasingly used to push malicious code into legitimate repositories, effectively turning a single breach into a distribution channel. - The report also flagged more multi-platform malware bundles that combine info-stealers, remote access trojans and backdoors — including a growth in macOS-targeted operations. Broader context and recent precedents - The crypto and developer ecosystem has seen similar supply-chain intrusions this year: Axios npm packages were hit in March, the TrapDoor campaign targeted developers across crypto, DeFi, AI and security in May, and GitHub disclosed unauthorized access to internal repositories on May 20 after an employee device was compromised. - Wallet compromises were the costliest crypto attack vector in H1 2026, accounting for $444 million stolen across 33 incidents, per CertiK. Injective status - Injective is an interoperable layer‑1 focused on DeFi. Its total value locked has dropped from a mid-2024 peak of $71 million to about $8.2 million — an 88% decline, according to DefiLlama. - Earlier this year the Injective community approved IIP-617, which accelerates reductions in new INJ issuance while maintaining existing token burns. Takeaway This episode is another reminder that attacker focus has shifted up the stack: supply‑chain and developer-tool compromises can undermine security across many projects at once. Developers and teams should audit dependencies, rotate keys and recovery phrases if exposed, and tighten account and CI/CD protections to reduce the risk of similar intrusions. Read more AI-generated news on: undefined/news