Security researchers at SlowMist have uncovered a critical vulnerability within the Injective development ecosystem. A malicious dependency has been injected into the official Injective SDK, designed to covertly harvest wallet private keys during the compilation phase.
The compromised package operates stealthily, intercepting wallet generation functions once a developer builds the working environment. When triggered, the malicious component collects sensitive seed phrases and transmits them to servers controlled by external attackers. SlowMist emphasized that this is not a flaw in the Injective blockchain itself, but a software supply chain attack that exploits the open-source dependency pipeline.
According to the firm's report, the code is able to redirect extracted data without alerting the developer. The risk is immediate for any project or user whose wallet was built using the tainted SDK version. SlowMist urged all teams to immediately review installed dependencies and replace the affected library with verified official releases from main repositories.
The discovery adds to a worrying trend of supply chain attacks in Web3 environments, which have increased over the past year. It highlights how crucial it is for development teams to implement continuous audits and cryptographic signatures on every imported module. The incident also carries implications for institutional compliance, as corporate audit teams now face renewed pressure to enforce rigorous software integrity checks before deployment.
While no fund losses have yet been reported, the advisory serves as a stark reminder that crypto infrastructure security must begin at the earliest stages of code development. The market's ongoing shift toward institutional standards makes such supply chain integrity reviews indispensable.