Injective Thwarts npm Supply Chain Attack, Zero Funds Compromised

yesterday / 21:43 2 sources neutral

Key takeaways:

  • Injective's swift incident response may boost INJ's market perception as a resilient DeFi platform.
  • The npm attack exposes systemic developer tooling risks that could pressure altcoin valuations across crypto.
  • Contradictory download claims risk undermining immediate investor trust, potentially affecting INJ sentiment.

Injective successfully neutralized a supply chain attack targeting its npm developer packages, with the project confirming that no user funds were ever at risk or compromised. The incident involved malicious code planted across 18 official packages, designed to steal wallet private keys and seed phrases.

How the attack unfolded: On July 10, 2026, security firms detected that bad code had been introduced into version 1.20.21 of @injectivelabs/sdk-ts—the TypeScript SDK used to build wallets, frontends, and trading bots on Injective. The malicious payload hid inside a fake analytics file that hooked into PrivateKey.fromMnemonic() and PrivateKey.fromHex(), intercepting sensitive secrets and sending them to a remote server disguised as an official Injective domain. That compromised version was pinned across 17 other @injectivelabs packages, meaning even indirect dependency downloads could expose developers.

Rapid detection and response: Injective’s internal security monitoring flagged the issue before any affected package version was downloaded by developers, according to the project. The team immediately deprecated the tainted release, and replaced it with a clean version (1.20.23). Injective stressed that no on‑chain systems, smart contracts, wallets, or user transactions were affected, and that there was no need for emergency fund movements. However, the incident still raised concerns because the malicious package was reportedly downloaded over 300 times during its brief availability window (less than one hour)—a detail that contrasts with Injective’s claim of zero downloads for the malicious package itself.

Industry‑wide implications: The attack highlights growing risks of software supply chain compromises in crypto, where developer tooling is often targeted. Injective responded by adding further protections to its SDK pipeline, and advised all developers to upgrade to the clean version immediately. Security firm StepSecurity warned that anyone whose application pulled the bad release should treat wallet secrets as exposed and rotate them. The project’s nearly five‑year mainnet record remains free of any exploited on‑chain vulnerability.

Disclaimer

The content on this website is provided for information purposes only and does not constitute investment advice, an offer, or professional consultation. Crypto assets are high-risk and volatile — you may lose all funds. Some materials may include summaries and links to third-party sources; we are not responsible for their content or accuracy. Any decisions you make are at your own risk. Coinalertnews recommends independently verifying information and consulting with a professional before making any financial decisions based on this content.