News · News

Injective SDK Backdoored on npm: Attackers Hijacked GitHub Repo to Plant Wallet-Key Stealer

Attackers hijacked the Injective Labs SDK GitHub repo to publish a malicious npm package designed to steal cryptocurrency wallet keys from developers and apps.

Injective SDK Backdoored on npm: Attackers Hijacked GitHub Repo to Plant Wallet-Key Stealer

Attackers compromised the Injective Labs SDK GitHub repository and used that access to publish a malicious npm package backdoored to steal cryptocurrency wallet keys, according to BleepingComputer. The breach is a direct supply-chain threat to every developer and application building on Injective — a Layer-1 blockchain whose SDK handles transaction signing and key management across decentralized apps.

X
XRP
XRP
View coin →
$1.11 1.52%
Market cap · $69.43B

How the Attack Worked

The attack vector was simple and brutal. By seizing control of the trusted GitHub repository that governs the official Injective SDK project, the attackers pushed a poisoned package to the npm registry under the legitimate Injective SDK name. Downstream detection was nearly impossible. Developers pulling the package through standard dependency managers had no obvious signal anything was wrong — the package name, the publisher, and the repository lineage all looked clean. Once installed, the backdoor was built to exfiltrate private keys, seed phrases, and wallet credentials processed by any application running Injective wallet workflows.

Researcher Findings

Socket researchers first flagged the incident. The StepSecurity blog references a July 8, 2026 attack in which an adversary used access to a trusted developer’s account to backdoor 18 packages tied to Injective, targeting crypto wallet keys. The precise scope of those 18 packages — whether all are Injective-specific or span adjacent ecosystem projects — is attributed to StepSecurity’s analysis and has not been independently confirmed as Injective-only.

Scope and Impact

The blast radius is potentially severe. Injective is a Layer-1 chain built for finance. Its SDK is the plumbing for transaction signing, wallet interaction, and key management across dApps, wallets, and services. Any developer who installed the compromised package may have unknowingly handed attackers access to private keys or seed phrases — and the exposure doesn’t stop at the developer’s machine. If the poisoned SDK was shipped inside a production application, end-user wallets touching that application could also be at risk.

A Broader Pattern of npm Crypto Attacks

This is not a one-off. npm has become a prime hunting ground for crypto theft over the past 15 months. In April 2025, the official XXRP$1.111.52%/XRPL npm package was backdoored with a crypto-stealing payload, as Aikido Security reported. Five months later, a phishing campaign against npm maintainers resulted in 18 popular JavaScript packages being laced with malicious code designed to steal cryptocurrency, per KrebsOnSecurity. That same month, malicious npm packages impersonating Flashbots surfaced with identical wallet-stealing capabilities, according to The Hacker News. The pattern holds across every case: attackers go after trusted maintainers and official repositories because one compromised publish can silently reach thousands of downstream projects before anyone catches it.

What Developers Should Do Now

Developers who may have installed the compromised Injective SDK package need to move now. Audit installed package versions against known-good hashes. Rotate any potentially exposed private keys and seed phrases immediately — before anything else. Then update only to a clean, verified release from Injective Labs. Reinstalling from npm without first confirming the malicious version has been pulled and replaced risks re-exposure.

Injective Labs had not issued a public statement through its official channels as of publication. Developers should watch the project’s official X/Twitter account, Discord, and GitHub repository for a post-incident response and confirmation of a clean release before resuming any dependency updates.

Market Context

The attack lands in a tense market. The crypto Fear & Greed Index sits at 23/100 — Extreme Fear — with total market capitalization at $2,278.11B and 24-hour trading volume of $64.74B. BBTC$64,212.002.19% trades at $63,907, up 2.17% on the day. EETH$1,783.361.74% holds at $1,773. Supply-chain attacks like this one deepen the trust deficit already running through the ecosystem, where developers building on-chain financial infrastructure now have to treat even official package registries as suspect until verified. The immediate thing to watch: whether Injective Labs publishes a clean SDK release alongside a post-mortem detailing how the GitHub repository was breached — and whether the attacker’s access has been fully revoked.

Nadia Rahman

Nadia Rahman

Markets Editor · 9 years covering crypto · Author page

Nadia Rahman is CoinScoop's Markets Editor. She covers Bitcoin, macro liquidity and the spot-ETF complex, and previously reported on rates and FX for a global newswire.

Disclosure: This article is independent journalism and is for information only — it is not financial advice. CoinScoop is reader-supported and may earn a commission from some links. Read our disclosure policy →