Loading article…
Hackers injected a backdoor into Injective’s TypeScript SDK (v1.20.21), stealing wallet keys from over 300 downloads; see how the supply‑chain breach unfolded
Injective’s popular TypeScript SDK (npm @injectivelabs/sdk‑ts) was compromised for under an hour on July 8‑9, 2026, exposing wallet mnemonics and private keys from roughly 300 downloads before a clean version (v1.20.23) was published [1].
| At a glance | |
|---|---|
| Package | @injectivelabs/sdk‑ts v1.20.21 |
| Weekly downloads | ~50,000 |
| Downloads of malicious version | >300 |
| Duration of malicious code | ~49 minutes |
| Catalyst | Supply‑chain attack via compromised maintainer account |
Attackers gained write access to a trusted maintainer’s GitHub account and pushed a malicious commit directly to the master branch, bypassing pull‑request review [2]. The change added a 79‑line file called key‑derivation‑telemetry.ts, which silently called trackKeyDerivation from the SDK’s wallet‑creation methods PrivateKey.fromMnemonic and PrivateKey.fromHex. Each call captured the full BIP‑39 seed phrase or raw private key, batched the data, base64‑encoded it, and exfiltrated it to an obfuscated endpoint on Injective’s testnet infrastructure [2]. Because the backdoor lived in the SDK itself, any of the 18 related packages that pinned the exact version also pulled in the compromised code, extending the risk transitively [2].
The malicious release (v1.20.21) was live for roughly 49 minutes before the maintainer reverted the commit and a clean version (v1.20.23) was republished [2]. Socket detected the breach and warned developers to treat any wallet credentials processed by the compromised releases as fully exposed, recommending immediate upgrades and dependency‑chain reviews [1]. While the SDK sees about 50 k weekly downloads, the specific malicious version was downloaded more than 300 times before removal, and the compromised package remains listed as a deprecated download on npm [1][3].
The incident highlights the high‑value target that developer tooling represents in the crypto stack. Even a brief supply‑chain breach can expose sensitive keys for thousands of users, given the SDK’s role in building wallets, DEX front‑ends, and trading bots. Although no confirmed thefts have been reported, the potential for downstream loss remains significant, especially for projects that cached the tainted package or built production binaries during the window [1].
The breach underscores the fragility of open‑source supply chains in Web3, where a single compromised maintainer can jeopardize the security of an entire ecosystem. Ongoing vigilance of package versions and rapid response protocols will be crucial to prevent similar incidents.
Coverage is mostly measured — 8 of 8 reports stay neutral.
Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.
Free · 3-min read · one-click unsubscribe
AI-assisted synthesis by the TrendWatcher Editorial Desk · sourced from 3 outlets · Jul 18, 2026 · How we report
Injective filed a transfer agent registration with the SEC to maintain on‑chain ownership records for tokenized securities.
No, the filing is pending and the SEC may request additional information before making a final determination.
No, the malicious package had zero downloads and was removed before any developers could use it, so no funds were at risk.
Injective deprecated the affected package versions, released clean replacements, and implemented additional protections for its npm supply chain.
The network can settle transactions in less than one second, allowing ownership updates to occur almost instantly.