Security

Injective SDK Compromised, Exposes Wallet Keys

Injective SDK Compromised, Exposes Wallet Keys

A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, according to security firm Socket. The compromised version, 1.20.21 of the @injectivelabs/sdk-ts npm package, was altered after a developer’s GitHub account was compromised, with suspicious commits beginning on June 8. The malicious code intercepted wallet key-generation functions, recording private keys and recovery phrases, then sending the data through fake telemetry to a web address resembling an Injective server.

Malicious Package Details

The malicious release was pinned across 17 other packages under the Injective Labs npm scope, potentially exposing applications even if they did not install the SDK directly. Socket warned that any keys or mnemonics passed through affected packages should be treated as compromised.

Incident Response

Although the compromised developer detected the intrusion quickly and the malicious package version has been removed, Socket said the campaign was not yet fully contained. Injective CEO Eric Chen stated that the affected npm releases had been deprecated and the issue was fixed, adding that no funds on the Injective network were at risk.

Broader Context

The operation targeted software used by developers to build wallets, exchanges, and applications, rather than attacking a blockchain’s cryptography or smart contracts. This type of supply-chain attack has become increasingly common, with attackers using platforms like GitHub, npm, and Google to distribute malware, according to the Security Alliance’s second-quarter threat report.

Market Impact

Wallet compromises were the costliest crypto attack method in the first half of 2026, accounting for $444 million stolen across 33 cases, according to CertiK. Injective, an interoperable layer 1 for DeFi applications, has seen its total value locked fall 88% from a mid-2024 peak of $71 million to $8.2 million, DefiLlama data shows.

Based on reporting from crypto.news.