Supply Chain Attack Hits Injective — 310 Downloads of Infected NPM Package
By John Nada·Jul 11, 2026·4 min read
Hackers compromised Injective’s NPM package, downloading malware over 300 times to steal crypto wallet keys. Injective denies downloads.
Hackers compromised a widely used Injective software package, aiming to steal crypto wallet private keys in a sophisticated supply chain attack. Security firm Socket reported on Thursday that a popular NPM (node package manager), crucial for building on the Injective blockchain, was maliciously modified, leading to over 300 downloads before the issue was addressed.
Injective, an interoperable layer 1 designed for DeFi applications, faced a dwindling user base over the past two years, with its total value locked plummeting by 88% to $8.2 million from a mid-2024 peak of $71 million, according to DefiLlama. Despite the attack’s reach, Injective claimed that "there were zero downloads of the malicious package," contradicting Socket's report of 310 downloads.
The compromised package, version 1.20.21 of the @injectivelabs/sdk-ts NPM, was altered through a breached developer GitHub account. Suspicious commits began on June 8, affecting 17 other packages within the Injective Labs NPM scope. "The malicious release hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them through fake telemetry," Socket explained.
Eric Chen, CEO of Injective, stated that the problem is "already fixed, and the affected versions on npm are already deprecated." He assured that no funds on the network are at risk. Yet, Socket did not clarify if any funds were actually stolen during the incident.
This attack highlights a growing threat in the tech ecosystem—supply chain attacks—where hackers target trusted developer tools rather than blockchain cryptography directly. This vector has become an increasingly common route for attackers, underscoring the need for heightened vigilance.
The Security Alliance (SEAL) pointed out in its report that attackers increasingly exploit legitimate platforms like GitHub and NPM for distribution of malicious code. This includes comprehensive malware capable of deploying cross-platform payloads, with a rise in macOS-specific campaigns.
Supply chain attacks such as this one have become more prevalent, drawing attention to the need for advanced security measures within the developer community. The attack on Injective is part of a broader trend seen in recent months, where malicious actors aim to compromise the tools and infrastructure developers rely on to create and maintain blockchain applications.

Leverage in ETF Market Raises Concerns — SK Hynix Joins the Fray
Leverage in ETFs hits a new high with SK Hynix's debut in the U.
The compromised NPM package, which received more than 50,000 weekly downloads before being altered, represents a significant threat given the potential for widespread impact. Developers who unknowingly integrated the tainted packages into their projects could have inadvertently exposed their users to security risks. The power of such attacks lies in their ability to target multiple applications simultaneously, leveraging trusted platforms as vehicles for malware distribution.
In this instance, the hackers' methodology involved modifying the NPM package to hook into wallet key-derivation functions. This allowed the malicious code to record sensitive information such as private keys and mnemonics. The data was then encoded and transmitted to a web address mimicking a legitimate Injective network server, effectively disguising the exfiltration process.
The rapid detection and response by the developer whose GitHub account was compromised highlighted the importance of active monitoring and swift action in mitigating the impact of such breaches. Despite Injective's assurance that no malicious downloads occurred, the discrepancy with Socket's report underscores the complexities involved in accurately assessing and communicating the scope of cyber incidents.
The rise of supply chain attacks has prompted organizations like the Security Alliance to issue warnings about the evolving nature of cyber threats. Their reports indicate a trend towards more sophisticated and cross-platform malware, which can affect a wider range of systems and devices. This includes the emergence of macOS-specific campaigns, demonstrating the adaptability of attackers who seek to exploit vulnerabilities across different operating environments.
The broader implications of the Injective attack serve as a cautionary tale for the entire tech industry. As the landscape continues to evolve, so too do the methods employed by those with malicious intent. Developers and companies must adopt robust security measures and remain vigilant to protect against these evolving threats.
The incident also emphasizes the need for comprehensive security audits and the implementation of best practices in software development. By ensuring that code repositories are secure and that any anomalies are promptly investigated and addressed, developers can help safeguard the integrity of their projects and protect their users' data.