Injective npm Supply-Chain Attack Targeted Wallet Keys, Not Network Funds

Daily Feed
Injective npm Supply-Chain Attack Targeted Wallet Keys, Not Network Funds

A bad npm release can be just as dangerous as a flashy on-chain exploit, and sometimes more so, because it can expose keys before anyone notices. That’s the uncomfortable lesson behind Injective’s assurance that no network funds were at risk after a backdoored package was used to target wallet keys.

  • Malicious npm code reportedly targeted wallet seed phrases and private keys
  • Injective says its chain and on-chain funds were not compromised
  • The real risk was supply-chain compromise in developer tooling
  • Affected apps and users should treat touched secrets as potentially exposed

Here’s the plain-English version: an Injective-related SDK release on npm was reportedly tampered with, and the injected code tried to steal wallet secrets. Injective says the problem was fixed and that network funds were safe. Those two things can both be true at the same time. The chain may be fine; the keys, if handled by the tainted package, are another matter entirely.

According to StepSecurity and reporting from CryptoNews, which cited Socket, the compromised release was @injectivelabs/sdk-ts v1.20.21. The malicious code was reported to have hooked wallet derivation functions such as PrivateKey.fromMnemonic() and PrivateKey.fromHex(), routines that turn a recovery phrase or raw private key into spendable wallet access. In other words: the exact kind of code you really, really do not want turning into a data thief.

For anyone not steeped in JavaScript tooling, npm is the package registry used by Node.js developers to install and share code libraries. It’s a massive dependency pipeline. If one package is compromised, every project downstream can inherit the damage without ever directly “hacking” the blockchain. That’s why supply-chain attacks are so nasty: they ride the trusted rails.

StepSecurity says the malicious release was pushed through a trusted publishing workflow using a maintainer’s GitHub Actions pipeline. That matters. This was not just a random bad upload or a crude typo-squat. It was a compromise of the trust machinery developers rely on to ship software. Elegant, miserable, and exactly the sort of thing that makes security teams age in dog years.

The reported payload allegedly disguised itself as telemetry, then exfiltrated wallet-related data to an Injective-controlled endpoint. StepSecurity says the destination was testnet.archival.chain.grpc-web.injective.network, with data base64-encoded and sent over HTTPS to make it look like ordinary network traffic. That’s a classic trick: hide the theft inside something that looks like routine housekeeping.

Injective’s response, as reported by CryptoNews, was blunt. The issue was fixed, the affected npm versions were deprecated, and CEO Eric Chen said, “No funds on the network are at risk.” That sentence should be read carefully. It means the blockchain itself was not compromised. It does not mean wallet secrets entered into affected apps were automatically safe.

StepSecurity says the tainted version stayed live for less than an hour and was republished clean as 1.20.23 about 49 minutes later. It also says the compromised release spread across 18 @injectivelabs packages total, the main SDK plus 17 packages pinned to the same exact version. That’s the ugly reality of dependency trees: one poisoned branch can touch a lot more than one project before anyone gets suspicious.

CryptoNews, citing Socket, also reported that the package saw roughly 50, 000 weekly downloads and that the compromised version was downloaded 310 times during the incident window. Those numbers measure different things, but together they show the package had real reach. This was not some obscure corner of the internet no one uses. It was a meaningful supply-chain target.

The crucial nuance here is the difference between network funds and wallet secrets. When Injective says no funds were at risk, that appears to refer to the chain itself, not to the safety of any seed phrases or private keys processed by an affected app during the malicious window. If a wallet or frontend handled sensitive material while the bad version was live, that secret should be treated as compromised until proven otherwise.

That may sound alarmist, but crypto does not reward shrug-level security. If a private key leaks, the attacker does not need to “break” the blockchain. They just sign as you. There is no reset button, no cheerful support agent, and no magic undo for a leaked seed phrase. Whoever has the key controls the wallet. End of story.

This incident is also a reminder that the biggest risks in crypto are often not dramatic consensus failures or cinematic chain hacks. They come from the boring seams: package registries, maintainer accounts, build pipelines, dependency pins, and wallet libraries that everyone assumes are safe because they look familiar. That’s where attackers hunt, because that’s where trust lives.

For developers building on Injective or any other chain, the response should be boring in the best possible way:

Audit dependency trees. Check lockfiles. Review CI/CD permissions. Rotate secrets if any affected package handled them during the vulnerable period. And if a wallet-related library was compromised, don’t get cute with “probably fine.” In security, “probably” is how people end up writing incident reports.

For users, the takeaway is just as blunt. If you used a wallet app, trading interface, or browser tool that depended on the affected SDK version while the malicious release was live, and it processed seed phrases or private keys, move funds to a fresh wallet and treat the old one as exposed. Revoke approvals where relevant. The chain may still be intact, but the keys to the front door may have been sitting in the wrong hands.

Key questions and straight answers

  • Was Injective’s blockchain hacked?
    No. Injective said the issue was fixed and that no funds on the network were at risk. The compromise was in npm supply-chain tooling, not the chain itself.

  • What was compromised?
    Reports point to @injectivelabs/sdk-ts v1.20.21, with StepSecurity saying the malicious release also spread across 17 additional Injective-scoped packages pinned to it.

  • What did the malicious code try to steal?
    StepSecurity and Socket-linked reporting say it targeted wallet seed phrases and private keys through normal SDK functions used for key derivation.

  • Were user funds automatically safe?
    Not necessarily. On-chain funds were not reported as compromised, but any wallet secrets processed by an affected app during the exposure window should be treated as potentially exposed.

  • What should affected users do?
    If there is any chance a touched wallet handled the tainted SDK, move funds to a fresh wallet, rotate keys, and revoke approvals where relevant. If an app never touched the bad version, panic is not required, but verification is.

This is the part of crypto that does not make for shiny marketing copy, but it matters more than most of the hype. The chain can be decentralized and resilient, while the software supply chain around it remains full of weak links. That battle is being fought in the plumbing, not just on-chain, and the plumbing is where a lot of people get soaked.

Further reading

A few useful resources on npm supply-chain risk and the Injective incident.

Share this article

Powered by ADBYTES

Advertise smarter.

Adbytes.Media is a transparent advertising network where advertisers reach real audiences and publishers, affiliates & everyday members earn ADBYTES tokens. Join the community and start earning today.

Back to Blog