Loading article…
Injective halted a malicious npm package before any downloads, confirming zero user funds were exposed despite claims of 310 downloads.
Injective announced that a compromised NPM package targeting its SDK was deprecated before any developer could download it, meaning no wallet keys were stolen and user funds remained safe【3】. The swift internal detection underscores the growing importance of supply‑chain security for crypto development tools.
| At a glance | |
|---|---|
| Downloads claimed by researcher | 310 |
| Injective’s reported downloads | 0 |
| TVL (current) | $8.2 M |
| TVL (mid‑2024 peak) | $71 M |
| Attack start (suspicious commits) | June 8, 2026 |
Security firm Socket discovered that version 1.20.21 of the @injectivelabs/sdk‑ts NPM package had been altered through a compromised GitHub account, inserting code that would capture wallet private keys and seed phrases during key‑derivation calls【1】. The malicious code was pinned across 17 other packages in the Injective Labs scope, potentially exposing any developer who installed the SDK or its dependencies. Socket reported that the altered package had been downloaded more than 300 times, though Injective contested this figure, stating that the affected versions were deprecated before any download occurred【1】.
Injective’s security team detected the unauthorized changes through internal monitoring, immediately removed the compromised versions, and released a clean replacement package. In its public statement, the project emphasized that “zero downloads” were recorded and that “no user funds were ever at risk”【3】. The incident highlights how attackers are shifting from direct smart‑contract exploits to compromising developer tooling—a vector that can grant immediate access to wallet credentials if successful.
Injective’s total value locked (TVL) has contracted sharply, falling 88 % from a peak of $71 million in mid‑2024 to roughly $8.2 million at the time of reporting【1】. This decline reflects waning DeFi activity on the layer‑1 platform, making any security breach—even one that did not result in fund loss—particularly salient for the remaining user base. The broader crypto ecosystem has seen a rise in supply‑chain attacks, with notable incidents targeting other NPM packages and even GitHub repositories earlier in 2026【1】. Such attacks exploit the trust developers place in open‑source dependencies, and the rapid response by Injective demonstrates a growing capability to mitigate these threats before they reach production.
@injectivelabs/sdk‑ts package for unexpected changes or new version numbers.The incident underscores that while supply‑chain attacks remain a potent risk, proactive monitoring and swift remediation can prevent actual fund loss, reinforcing the need for continuous security audits across the crypto development stack.
Coverage is mostly measured — 8 of 8 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 3 outlets · Jul 18, 2026 · How we report
Injective filed a transfer agent registration with the SEC to maintain on‑chain ownership records for tokenized securities.
No, the filing is pending and the SEC may request additional information before making a final determination.
No, the malicious package had zero downloads and was removed before any developers could use it, so no funds were at risk.
Injective deprecated the affected package versions, released clean replacements, and implemented additional protections for its npm supply chain.
The network can settle transactions in less than one second, allowing ownership updates to occur almost instantly.