Hackers Compromised Injective’s 50,000-Download SDK To Steal Seed Phrases From Developers

Hackers Compromised Injective’s 50,000-Download SDK To Steal Seed Phrases From Developers

Hackers slipped wallet-stealing malware into an official Injective (INJ) developer package that averages 50,000 weekly downloads, and the tainted release was fetched 310 times before a rapid cleanup.

Key Points:

  • A tainted version of Injective's main TypeScript kit copied wallet seed phrases and private keys during normal use.
  • The malicious release spread across 18 packages, was downloaded 310 times and stayed live for under an hour.
  • Researchers say any keys that passed through the affected versions should be treated as compromised.

Injective SDK Backdoor Details

Security firm Socket disclosed on Thursday that version 1.20.21 of the @injectivelabs/sdk-ts package on npm had been altered through a compromised contributor account on GitHub. The kit is a core building block for wallets, exchanges and trading bots on Injective, a layer-1 blockchain designed for decentralized finance.

The rogue code posed as harmless usage analytics and hooked the functions that turn a seed phrase or a raw private key into a usable signing key. Every time an application called them, it quietly recorded the secrets, batched them for two seconds and sent them to a server disguised as legitimate Injective infrastructure. The stolen material traveled inside a request header, letting it blend into ordinary traffic.

Automated publishing carried the same poisoned version across 17 related packages within minutes of the first malicious commit, widening exposure to teams that never installed the kit directly.

A commit-level analysis showed the payload went live on Jul. 8 and was pulled in under an hour, with a clean version 1.20.23 following shortly after.

Injective CEO Eric Chen reportedly said the issue is already fixed and no funds on the network are at risk. Still, the compromised release was only deprecated on npm rather than removed, leaving it available for download. Artifacts from the tainted build also remained on GitHub at the time of disclosure.

Also Read: Solana’s ETF Moment Gets Harder To Ignore After New Bitwise Filing

Why Crypto Wallet Keys Were The Target

Researchers described the compromise as "significant for developers and applications that handle Injective wallet workflows," though they did not specify whether any assets were stolen. Teams were urged to treat any key or mnemonic that touched the affected versions as compromised, move funds to fresh wallets and rotate every secret in their environments.

Attacks of this kind never touch a blockchain's cryptography. Intruders instead poison the trusted tools developers rely on, turning a single hijacked account into a distribution channel that can quietly reach thousands of downstream applications.

The compromised kit alone counts 87 other npm packages among its direct dependents, analysts reported.

The episode caps a punishing stretch for open-source crypto tooling, following a similar compromise of Axios npm releases in March and the TrapDoor malware campaign that hit crypto and DeFi developers in May. CertiK ranked wallet compromises as the most costly attack vector of the first half of 2026, with $444 million stolen across 33 incidents.

Read Next: Grok 4.5 Challenges OpenAI And Anthropic With Cheaper Agentic AI

Disclaimer and Risk Warning: The information provided in this article is for educational and informational purposes only and is based on the author's opinion. It does not constitute financial, investment, legal, or tax advice. Cryptocurrency assets are highly volatile and subject to high risk, including the risk of losing all or a substantial amount of your investment. Trading or holding crypto assets may not be suitable for all investors. The views expressed in this article are solely those of the author(s) and do not represent the official policy or position of Yellow, its founders, or its executives. Always conduct your own thorough research (D.Y.O.R.) and consult a licensed financial professional before making any investment decision.
Latest News
Show All News
Hackers Compromised Injective’s 50,000-Download SDK To Steal Seed Phrases From Developers | Yellow.com