Hackers tried to backdoor Injective npm package to steal wallet keys
A supply chain attack compromised a popular npm package used to build Injective blockchain apps, turning legitimate developer tooling into malware that stole crypto wallet private keys and seed phrases. The malicious code was inserted into version 1.20.21 of `@injectivelabs/sdk-ts` through a compromised GitHub account, then propagated to 17 related packages. It hooked wallet key-derivation functions, copied sensitive data, and exfiltrated it via fake telemetry to a server mimicking Injective infrastructure. Socket said the package had about 50,000 weekly downloads, though the malicious version was downloaded only about 300 times before removal. Injective said the issue has been fixed and affected npm versions deprecated. The incident reflects a broader trend: attackers are increasingly abusing trusted platforms like GitHub and npm to distribute malware, and wallet compromises have become a major source of crypto losses.
