Loading article…
Hackers injected malware into the @injectivelabs/sdk‑ts npm package on July 8 2026, exfiltrating wallet keys. Learn how many downloads were affected and what
A malicious version of the widely used @injectivelabs/sdk‑ts npm package was published on July 8 2026, and within an hour it was pulled after 310 downloads were recorded, exposing any wallet keys generated by the compromised code [2].
| At a glance | |
|---|---|
| Date of compromise | July 8 2026 |
| Malicious version | 1.20.21 |
| Downloads before removal | 310 (claimed) |
| Packages affected | 18 (sdk‑ts + 17 dependents) |
Security firm Socket first flagged the supply‑chain breach, noting that a trusted maintainer’s GitHub account was used to push the malicious commit directly to the master branch without a pull request [2]. The injected file, key‑derivation‑telemetry.ts, silently called a telemetry function every time the SDK’s PrivateKey.fromMnemonic or PrivateKey.fromHex methods were invoked, capturing the full BIP‑39 seed phrase or private key and sending it to a server masquerading as an Injective network endpoint [2][1]. Because the backdoor operated at runtime rather than via a post‑install script, any application that imported the compromised SDK—whether directly or through one of the 17 dependent packages—triggered the exfiltration automatically.
Injective Labs announced that the issue was identified and resolved “immediately,” and the team asserted that the malicious versions were deprecated and that “zero downloads” occurred [1]. Socket, however, reported 310 downloads of the tainted package before it was removed [2]. No funds have been confirmed stolen, and the project’s CEO emphasized that the network’s assets remain safe [1]. The incident adds to a growing trend of supply‑chain attacks targeting developer tools, as highlighted by the Security Alliance’s Q2 threat report, which noted a rise in such campaigns and $444 million stolen across 33 incidents in the first half of 2026 [1].
@injectivelabs/sdk‑ts package for additional security audits or patches.The breach underscores the vulnerability of trusted development libraries: even without direct attacks on blockchain smart contracts, compromising a single SDK can expose private keys across an entire ecosystem. Whether further undisclosed downloads occurred remains unclear, leaving developers to weigh the risk of legacy code that may still contain the backdoor.
Coverage is mostly measured — 8 of 8 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 2 outlets · Jul 18, 2026 · How we report
Injective filed a transfer agent registration with the SEC to maintain on‑chain ownership records for tokenized securities.
No, the filing is pending and the SEC may request additional information before making a final determination.
No, the malicious package had zero downloads and was removed before any developers could use it, so no funds were at risk.
Injective deprecated the affected package versions, released clean replacements, and implemented additional protections for its npm supply chain.
The network can settle transactions in less than one second, allowing ownership updates to occur almost instantly.