Hackers Embed Backdoor in Injective npm Package to Steal Wallet Keys

By: rootdata|2026/07/10 03:20:00
0
Share
copy

Security firm Socket has discovered that the npm package @injectivelabs/sdk-ts for the Injective blockchain has been maliciously altered. Attackers infiltrated the developer's GitHub account to implant malicious code designed to steal wallet private keys and recovery phrases. The stolen data is encoded and sent to an address disguised as a legitimate Injective network server. The package has approximately 50,000 downloads per week, and the malicious version 1.20.21 began showing suspicious commits on June 8, being locked within 17 other packages in the Injective Labs npm scope, meaning users who did not directly install the SDK may also be affected. Injective CEO Eric Chen stated that the issue has been resolved, the affected versions have been deprecated, and there is no risk to funds on the network. However, the malicious package has been downloaded over 310 times, and security firm Socket claims that the attack has not been fully contained.

You may also like

iconiconiconiconiconiconicon
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com