BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
DeFi

Injective SDK Hit By Supply Chain Attack

How the Attack Unfolded A supply chain attack has hit the Injective ($INJ) developer ecosystem after hackers planted wallet-stealing malware inside a widely used npm package. Security firm So

AnonymousCryptoCompass newsroom
July 10, 2026
3 min read
NEWS
Injective SDK Hit By Supply Chain Attack
CryptoCompass editorial visual for defi coverage.

How the Attack Unfolded

A supply chain attack has hit the Injective ($INJ) developer ecosystem after hackers planted wallet-stealing malware inside a widely used npm package. Security firm Socket identified the threat in version 1.20.21 of the injectivelabs/sdk-ts package, the official TypeScript SDK for building applications on the Injective blockchain.

The Injective SDK is a TypeScript/JavaScript development kit for building DeFi applications, tokenized assets, and decentralized exchanges on the Injective blockchain. The package draws around 50,000 weekly downloads and is used by developers building cryptocurrency wallets, trading bots, decentralized exchanges, and payment tools.

The malicious functionality was introduced through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository.Suspicious commits began on June 8, and the malicious release was later pinned across 17 other packages under the Injective Labs npm scope.

The malicious code hooked into normal functions used to generate wallet keys, and whenever a developer's app used these functions, it secretly copied the seed phrase or private key.The stolen data was base64-encoded and silently sent via a POST request to an endpoint made to resemble Injective Labs public infrastructure, blending the exfiltrated traffic with normal network activity.

Scope and Developer Guidance

The impact extends beyond direct users of the core SDK. The attackers also published version 1.20.21 across 17 additional Injective Labs scoped packages that depended on and pinned the malicious SDK version, exposing developers who may not have installed the SDK directly.

The compromised version was downloaded approximately 310 times, though a download does not automatically mean a wallet key was exposed. The dangerous code would only have run while an application was actively handling a private key or recovery phrase.

Injective CEO Eric Chen said the issue was already fixed and the affected versions on npm were deprecated, adding that no funds on the network were at risk. Socket did not report whether the malware resulted in any stolen assets.

All 18 affected packages were republished clean at version 1.20.23 within approximately 49 minutes. Despite the swift response, Socket urged that any keys or mnemonics passed through the affected packages should be treated as compromised, warning that applications may have been exposed even if they did not install the SDK directly. Developers should move funds, rotate keys and mnemonics, and check for transitive dependencies, as auditing direct dependencies alone is not sufficient.

Rather than attacking a blockchain's cryptography or smart contracts, the operation targeted software that developers use to build wallets, exchanges, and applications.Wallet compromise has emerged as the most financially destructive attack category of H1 2026, generating over $444 million across just 33 incidents, according to CertiK.

Sources:Socket Security: Compromised Injective SDK npm PackageBleepingComputer: Injective SDK on npm Infected With Cryptocurrency Wallet StealerCertiK: Hack3D H1 2026 Report