The post Injective software package hit by malicious supply chain attack – Details appeared on BitcoinEthereumNews.com.
Software supply chain attacks have become more common, with attackers increasingly targeting trusted developer tools instead of end users. In the latest incident, attackers compromised a trusted Injective Labs software package to steal developers’ wallet credentials. Source: Socket How did Injective SDK attack unfold? The attacker uploaded a malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, to npm. The package was designed for building Injective applications, creating wallets, and signing transactions. The attacker then gained access to a legitimate Injective Labs contributor’s GitHub account and distributed malicious commits. One test branch was named “test-backdoor-check.” Under the guise of telemetry, the attacker published the compromised package to npm. Instead of collecting usage data, the malware extracted private keys and mnemonic seed p
Injective's new infrastructure could accelerate enterprise adoption of blockchain, enhancing asset tokenization and compliance in finance.
The post Injective launches institutional infrastructure page to onboard enterprises into onchain finance appeared first on Crypto Briefing.
The post Funds were never at risk: Injective dismisses npm package threat appeared on BitcoinEthereumNews.com.
Injective has dismissed concerns that user funds were compromised after attackers planted wallet-key-stealing code in 18 of its official npm developer packages. Meanwhile, security firms warn that the attack exposed the private keys and seed phrases that passed through the software. What happened to Injective? The attack on Injective started when two malicious code changes were pushed directly to the main code branch under the name “thomasRalee” who is a real developer that had previously contributed to the project. There was no code review or pull request, which is unusual, but this gap allowed the bad code to bypass security checks. The malicious code, found by the security firm Socket, was hidden inside version 1.20.21 of @injectivelabs/sdk-ts, the TypeScript SDK that wallets, exchange front ends, and trading bots use to build on Injective. The attackers reportedly adde
The post Injective Thwarts npm Supply Chain Attack, Says No Funds Were at Risk appeared on BitcoinEthereumNews.com.
Injective says the npm supply chain issue was resolved before downloads, with zero user funds at risk or compromised. Injective said it resolved a potential compromise involving its npm packages after several public security reports. The project said no user funds were at risk during the incident. The team said internal monitoring detected the issue before any affected package version was downloaded. It then removed the affected versions and released a clean replacement package. Injective said the malicious package recorded zero downloads before it was deprecated. Therefore, developers using the project’s SDK were not exposed through that package. The update comes as crypto projects face growing risks from software supply chain attacks. Moreover, Injective said its response prevented user exposure before the issue reached production use. Injective Responds to npm Package
Injective says the npm supply chain issue was resolved before downloads, with zero user funds at risk or compromised. Injective said it resolved a potential compromise involving its npm packages after several public security reports. The project said no user funds were at risk during the incident. The team said internal monitoring detected the issue […]
The post Injective Thwarts npm Supply Chain Attack, Says No Funds Were at Risk appeared first on Live Bitcoin News.
Rapid response to the npm compromise highlights the critical need for robust security measures and vigilant monitoring in software development.
The post Injective resolves npm package compromise in under an hour with zero user impact appeared first on Crypto Briefing.
The post Compromised Injective SDK sends wallet keys through fake telemetry appeared on BitcoinEthereumNews.com.
A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found. Summary Socket found that a compromised Injective npm package copied private keys and seed phrases through fake telemetry. The malicious version was downloaded more than 300 times and spread through 17 related Injective Labs packages. CertiK reported that wallet compromises caused $444 million in losses during the first half of 2026. According to security firm Socket, version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has about 50,000 weekly downloads, was altered after a developer’s GitHub account was compromised. Suspicious commits began on June 8, and the malicious release was later pinned across 17 other packages under the Injective Labs npm scope. The security firm said the code intercepted wallet key-g
A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found. According to security firm Socket, version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has about…
The incident highlights the critical need for enhanced security measures in software supply chains to protect sensitive crypto assets.
The post Hackers attempt to backdoor Injective npm package to steal wallet keys appeared first on Crypto Briefing.