A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found. AccordingA malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found. According

Compromised Injective SDK sends wallet keys through fake telemetry

2026/07/10 13:43
3분 읽기
이 콘텐츠에 대한 의견이나 우려 사항이 있으시면 crypto.news@mexc.com으로 연락주시기 바랍니다

A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found.

Summary
  • Socket found that a compromised Injective npm package copied private keys and seed phrases through fake telemetry.
  • The malicious version was downloaded more than 300 times and spread through 17 related Injective Labs packages.
  • CertiK reported that wallet compromises caused $444 million in losses during the first half of 2026.

According to security firm Socket, version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has about 50,000 weekly downloads, was altered after a developer’s GitHub account was compromised. Suspicious commits began on June 8, and the malicious release was later pinned across 17 other packages under the Injective Labs npm scope.

The security firm said the code intercepted wallet key-generation functions, recorded private keys and recovery phrases, then encoded the data and sent it through fake telemetry to a web address made to resemble an Injective server.

“Any keys or mnemonics passed through affected packages should be treated as compromised,” Socket said, warning that applications may have been exposed even if they did not install the SDK directly.

Although the compromised developer detected the intrusion quickly and the malicious package version has been removed, Socket said the campaign was not yet fully contained.

Injective CEO Eric Chen said the affected npm releases had been deprecated and the issue was fixed. Chen added that no funds on the Injective network were at risk, while Socket did not report whether the malware resulted in stolen assets.

Developers become the target

Rather than attacking a blockchain’s cryptography or smart contracts, the operation targeted software that developers use to build wallets, exchanges and applications. The Security Alliance said in its second-quarter threat report that attackers have increasingly used platforms including GitHub, npm, and Google to distribute malware.

In some incidents, SEAL said, compromised machines have been used to push malicious code into a company’s own GitHub repositories, allowing one breach to become a channel for further distribution. The report also cited more cross-platform malware packages combining infostealers, remote access trojans and backdoors, including a rise in macOS-targeted campaigns.

Axios npm releases were hit by a similar supply-chain attack in March, while the TrapDoor campaign found in May targeted developers working in crypto, DeFi, artificial intelligence and security. GitHub also disclosed unauthorised access to internal repositories on May 20 after an employee device was compromised.

Wallet compromises were the costliest crypto attack method in the first half of 2026, accounting for $444 million stolen across 33 cases, according to CertiK.

Injective, an interoperable layer 1 for DeFi applications, has seen its total value locked fall 88% from a mid-2024 peak of $71 million to $8.2 million, DefiLlama data shows. Earlier this year, community members approved IIP-617, accelerating reductions in new INJ issuance while retaining existing token burns.

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

면책 조항: 본 사이트에 재게시된 글들은 공개 플랫폼에서 가져온 것으로 정보 제공 목적으로만 제공됩니다. 이는 반드시 MEXC의 견해를 반영하는 것은 아닙니다. 모든 권리는 원저자에게 있습니다. 제3자의 권리를 침해하는 콘텐츠가 있다고 판단될 경우, crypto.news@mexc.com으로 연락하여 삭제 요청을 해주시기 바랍니다. MEXC는 콘텐츠의 정확성, 완전성 또는 시의적절성에 대해 어떠한 보증도 하지 않으며, 제공된 정보에 기반하여 취해진 어떠한 조치에 대해서도 책임을 지지 않습니다. 본 콘텐츠는 금융, 법률 또는 기타 전문적인 조언을 구성하지 않으며, MEXC의 추천이나 보증으로 간주되어서는 안 됩니다.

$5M in SPCX Positions for Free

$5M in SPCX Positions for Free$5M in SPCX Positions for Free

0 fees, 100x leverage, daily prizes, 7K+ stocks/ETFs