Injective successfully neutralized a supply chain attack targeting its npm developer packages, with the project confirming that no user funds were ever at risk or compromised. The incident involved malicious code planted across 18 official packages, designed to steal wallet private keys and seed phrases.
How the attack unfolded: On July 10, 2026, security firms detected that bad code had been introduced into version 1.20.21 of @injectivelabs/sdk-ts—the TypeScript SDK used to build wallets, frontends, and trading bots on Injective. The malicious payload hid inside a fake analytics file that hooked into PrivateKey.fromMnemonic() and PrivateKey.fromHex(), intercepting sensitive secrets and sending them to a remote server disguised as an official Injective domain. That compromised version was pinned across 17 other @injectivelabs packages, meaning even indirect dependency downloads could expose developers.
Rapid detection and response: Injective’s internal security monitoring flagged the issue before any affected package version was downloaded by developers, according to the project. The team immediately deprecated the tainted release, and replaced it with a clean version (1.20.23). Injective stressed that no on‑chain systems, smart contracts, wallets, or user transactions were affected, and that there was no need for emergency fund movements. However, the incident still raised concerns because the malicious package was reportedly downloaded over 300 times during its brief availability window (less than one hour)—a detail that contrasts with Injective’s claim of zero downloads for the malicious package itself.
Industry‑wide implications: The attack highlights growing risks of software supply chain compromises in crypto, where developer tooling is often targeted. Injective responded by adding further protections to its SDK pipeline, and advised all developers to upgrade to the clean version immediately. Security firm StepSecurity warned that anyone whose application pulled the bad release should treat wallet secrets as exposed and rotate them. The project’s nearly five‑year mainnet record remains free of any exploited on‑chain vulnerability.