Hackers tried to backdoor Injective npm package for wallet keys
Hackers tried to backdoor the Injective npm package @injectivelabs/sdk-ts in a supply chain attack aimed at stealing crypto wallet private keys and seed phrases. Security firm Socket said version 1.20.21 was maliciously modified through a compromised developer GitHub account, with suspicious commits beginning June 8. The incident is significant for developers and applications that handle Injective wallet workflows.
Key Takeaways
- Attackers compromised version 1.20.21 of @injectivelabs/sdk-ts, an npm package with about 50,000 weekly downloads used to build on Injective.
- Malware hooked wallet key-derivation functions and exfiltrated private keys and mnemonics through fake telemetry to a server mimicking Injective infrastructure.
- The poisoned SDK was pinned across 17 other Injective Labs npm packages, exposing users who never installed the SDK directly.
- Socket said the malicious release was downloaded more than 300 times and the campaign is not yet fully contained, though Injective CEO Eric Chen said affected npm versions are deprecated.
- Supply chain attacks on trusted developer tools are a growing crypto threat, alongside campaigns like TrapDoor and the Axios npm incident.
What happened to the Injective npm package?
Hackers compromised a widely used Injective software package in a supply chain attack with malware designed to steal crypto wallet private keys. Socket discovered on Thursday that the popular npm package used for building on the Injective blockchain had been maliciously modified.
Version 1.20.21 of @injectivelabs/sdk-ts was altered through a compromised developer GitHub account. It was also pinned across 17 other packages in the Injective Labs npm scope, exposing users who may not have installed the SDK directly, Socket said. The malicious code has since been removed from the package.
This attack vector targets trusted developer tools rather than a blockchain's cryptography or smart contracts directly. Similar incidents have hit Axios npm releases in March and a TrapDoor malware campaign in May targeting crypto, DeFi, AI and security developers. For broader coverage of crypto security threats, see our Fintech & Crypto Alerts section.
How did the backdoor steal wallet keys?
According to Socket, the malicious release hooked wallet key-derivation functions, recorded private keys and mnemonics, and exfiltrated them through fake telemetry. Whenever a developer's app used these normal functions to generate wallet keys, the code secretly copied the seed phrase or private key.
The stolen data was encoded and sent to a web address that looked like a legitimate Injective network server. Socket added that any keys or mnemonics passed through affected packages should be treated as compromised.
The Security Alliance reported in its second-quarter threat report that attackers are increasingly using legitimate platforms like GitHub, npm and Google to deliver payloads. Malware has also grown more comprehensive, with cross-platform payloads and macOS-specific campaigns combining infostealers, remote access trojans and backdoor capabilities.
Who is at risk from this Injective attack?
The large number of downloads makes the incident significant for developers and applications that handle Injective wallet workflows, Socket researchers said. Injective is an interoperable layer 1 designed for DeFi applications, though its total value locked has shrunk by 88% to about $8.2 million from a $71 million peak in mid-2024, according to DefiLlama.
Socket reported that the infiltrated developer quickly detected the compromise, but the malware had been downloaded more than 300 times before deprecation. The security firm said the campaign itself is not yet fully contained. The compromised npm package was downloaded 310 times, according to Socket data cited by Cointelegraph.
What should developers do now?
Injective CEO Eric Chen said the issue is already fixed and the affected versions on npm are deprecated. He added that no funds on the network are at risk. Socket did not specify whether any funds were stolen in the incident.
Developers who used affected packages should rotate any wallet keys or seed phrases that passed through the compromised SDK. Wallet compromises were the most costly attack vector in the first half of 2026, with $444 million stolen across 33 incidents, CertiK reported Monday.
GitHub itself was exploited on May 20 when it reported unauthorized access to internal repositories following the compromise of an employee's device. The Injective npm backdoor underscores why teams must audit dependencies and treat supply chain security as critical infrastructure.