July 10, 2026 ChainGPT

Trojanized Injective SDK Exfiltrated Wallet Keys — 300+ Downloads Before Removal

Trojanized Injective SDK Exfiltrated Wallet Keys — 300+ Downloads Before Removal
Headline: Malicious update to Injective SDK siphoned wallet keys — over 300 downloads before removal A trojanized update to a popular Injective developer package briefly exfiltrated private keys and recovery phrases, security firm Socket says — a fresh reminder that attacker focus has shifted to the developer supply chain. What happened - Socket found that version 1.20.21 of the @injectivelabs/sdk-ts npm package was altered after a developer’s GitHub account was compromised. Suspicious commits began on June 8. - That malicious release was later pinned across 17 other packages in the Injective Labs npm scope. The compromised release was downloaded more than 300 times before it was removed; the SDK overall sees roughly 50,000 weekly downloads. - According to Socket, the injected code intercepted wallet key-generation functions, captured private keys and seed phrases, encoded that data and sent it via fake telemetry to a web address designed to resemble an Injective server. Impact and response - Socket warned that “any keys or mnemonics passed through affected packages should be treated as compromised,” and noted that applications could be exposed even if they didn’t install the SDK directly (due to transitive dependencies). - The compromised developer detected the intrusion and the malicious package was removed, but Socket said the campaign was not yet fully contained. - Injective CEO Eric Chen confirmed the affected npm releases were deprecated and described the issue as fixed, adding that no funds on the Injective network were at risk. Socket did not indicate whether any assets were stolen. Why this matters - This incident targets developer tooling rather than breaking blockchain cryptography or smart contracts — an increasingly popular and effective attacker strategy because compromised libraries can quietly infect wallets, exchanges and other apps during development. - Security Alliance (SEAL) Q2 threat reporting highlights this trend: attackers are increasingly abusing platforms such as GitHub, npm and Google to distribute malware. SEAL also flagged rises in cross-platform packages combining info-stealers, RATs and backdoors, and more macOS-targeted campaigns. Broader supply-chain context - Similar incidents this year include a supply-chain attack on Axios’s npm releases in March and the TrapDoor campaign in May that targeted developers working in crypto, DeFi, AI and security. - GitHub disclosed unauthorized access to internal repositories on May 20 after an employee device was compromised. - Wallet compromises were the costliest crypto attack vector in H1 2026 — CertiK reports $444 million stolen across 33 cases. Injective status and ecosystem note - Injective is an interoperable layer-1 focused on DeFi. Its total value locked has fallen from a mid‑2024 peak of $71 million to about $8.2 million, an 88% decline per DeFiLlama. Earlier this year the community approved IIP‑617, accelerating reductions in new INJ issuance while preserving existing token burn mechanisms. Practical steps for developers and users - Treat any keys or mnemonics generated or used while the compromised packages were present as compromised; rotate wallets and move funds where possible. - Review dependency trees and lockfiles, pin trusted package versions, enable package integrity checks, and audit developer accounts and CI/CD credentials. - Monitor telemetry and network calls from development environments and production services for suspicious destinations. This episode underscores a growing reality: attackers are increasingly weaponizing the software supply chain. Even well-known libraries can become the conduit for large-scale theft if developer accounts or build systems are compromised. Read more AI-generated news on: undefined/news