Fintech & Crypto Alerts · Quinn Barrett · 10 July 2026

Hackers tried to backdoor Injective npm package for wallet keys

Hackers tried to backdoor Injective npm package for wallet keys

Hackers tried to backdoor the Injective npm package @injectivelabs/sdk-ts in a supply chain attack aimed at stealing crypto wallet private keys and seed phrases. Security firm Socket said version 1.20.21 was maliciously modified through a compromised developer GitHub account, with suspicious commits beginning June 8. The incident is significant for developers and applications that handle Injective wallet workflows.

Key Takeaways

What happened to the Injective npm package?

Hackers compromised a widely used Injective software package in a supply chain attack with malware designed to steal crypto wallet private keys. Socket discovered on Thursday that the popular npm package used for building on the Injective blockchain had been maliciously modified.

Version 1.20.21 of @injectivelabs/sdk-ts was altered through a compromised developer GitHub account. It was also pinned across 17 other packages in the Injective Labs npm scope, exposing users who may not have installed the SDK directly, Socket said. The malicious code has since been removed from the package.

This attack vector targets trusted developer tools rather than a blockchain's cryptography or smart contracts directly. Similar incidents have hit Axios npm releases in March and a TrapDoor malware campaign in May targeting crypto, DeFi, AI and security developers. For broader coverage of crypto security threats, see our Fintech & Crypto Alerts section.

How did the backdoor steal wallet keys?

According to Socket, the malicious release hooked wallet key-derivation functions, recorded private keys and mnemonics, and exfiltrated them through fake telemetry. Whenever a developer's app used these normal functions to generate wallet keys, the code secretly copied the seed phrase or private key.

The stolen data was encoded and sent to a web address that looked like a legitimate Injective network server. Socket added that any keys or mnemonics passed through affected packages should be treated as compromised.

The Security Alliance reported in its second-quarter threat report that attackers are increasingly using legitimate platforms like GitHub, npm and Google to deliver payloads. Malware has also grown more comprehensive, with cross-platform payloads and macOS-specific campaigns combining infostealers, remote access trojans and backdoor capabilities.

Who is at risk from this Injective attack?

The large number of downloads makes the incident significant for developers and applications that handle Injective wallet workflows, Socket researchers said. Injective is an interoperable layer 1 designed for DeFi applications, though its total value locked has shrunk by 88% to about $8.2 million from a $71 million peak in mid-2024, according to DefiLlama.

Socket reported that the infiltrated developer quickly detected the compromise, but the malware had been downloaded more than 300 times before deprecation. The security firm said the campaign itself is not yet fully contained. The compromised npm package was downloaded 310 times, according to Socket data cited by Cointelegraph.

What should developers do now?

Injective CEO Eric Chen said the issue is already fixed and the affected versions on npm are deprecated. He added that no funds on the network are at risk. Socket did not specify whether any funds were stolen in the incident.

Developers who used affected packages should rotate any wallet keys or seed phrases that passed through the compromised SDK. Wallet compromises were the most costly attack vector in the first half of 2026, with $444 million stolen across 33 incidents, CertiK reported Monday.

GitHub itself was exploited on May 20 when it reported unauthorized access to internal repositories following the compromise of an employee's device. The Injective npm backdoor underscores why teams must audit dependencies and treat supply chain security as critical infrastructure.

← Open in blast feed