Injective Labs npm SDK Compromised in Supply Chain Attack Targeting Crypto Wallets
Attackers breached Injective Labs’ official source code repository, injecting malicious code into the company’s npm SDK packages a trusted developer toolkit used by blockchain and DeFi application builders on the Injective Protocol. The compromised packages, distributed through the legitimate repository, contained credential-stealing malware designed to exfiltrate cryptocurrency wallet seed phrases and private keys directly from developers’ environments.
Unlike typosquatting or lookalike attacks, this was a repository-level compromise, meaning even developers who verified package authenticity checking publisher identity, download sources, and provenance unwittingly installed the tainted SDK. Standard supply chain security practices, such as confirming package origins, offered no protection, as the official source itself was compromised.
The attack specifically targeted BIP-39 mnemonic seed phrases, which grant irreversible access to all wallet addresses derived from them. Once stolen, these phrases allow attackers to drain funds from every associated wallet, with no revocation mechanism available. The malware also sought private keys and credentials stored in developers’ environments, amplifying the risk for those working with production wallets.
The Injective Protocol’s DeFi-focused ecosystem made its developers prime targets. Unlike traditional software development, DeFi builders often test integrations against live blockchains, requiring real wallet credentials in their environments. This operational reality meant the compromised SDK had access to high-value production wallets, not just test accounts with minimal balances.
The incident highlights a critical gap in supply chain security: verifying package authenticity is insufficient when the official repository is breached. Previous attacks, such as fake Paysafe or Skrill SDK campaigns, relied on deception to trick developers into installing counterfeit packages. In contrast, the Injective breach exploited trust in the legitimate source, bypassing identity-based defenses entirely.
Developers who installed or updated the affected npm packages during the compromise window were advised to treat all credentials in their environments as compromised. This included migrating funds to new wallets, rotating API keys, and auditing production systems for exposed credentials. Official disclosure materials from Injective Labs provided details on the affected packages, versions, and the exact exposure period.
Injective Labs TPRM report: https://www.rankiteo.com/company/injectivelabs
Injective Protocol TPRM report: https://www.rankiteo.com/company/injectivelabs
"id": "inj1783693487",
"linkid": "injectivelabs",
"type": "Breach",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Developers using the '
'compromised npm SDK packages',
'industry': 'Cryptocurrency/Blockchain',
'name': 'Injective Labs',
'type': 'Blockchain/DeFi Protocol'}],
'attack_vector': 'Repository-level compromise',
'customer_advisories': 'Developers advised to treat all credentials in their '
'environments as compromised and take remediation '
'steps.',
'data_breach': {'data_exfiltration': 'Yes (malware designed to exfiltrate '
'data)',
'personally_identifiable_information': 'Wallet seed phrases '
'and private keys '
'(linked to '
'cryptocurrency '
'holdings)',
'sensitivity_of_data': 'High (BIP-39 mnemonic seed phrases, '
'private keys)',
'type_of_data_compromised': ['Cryptocurrency wallet seed '
'phrases',
'Private keys',
'Credentials']},
'description': 'Attackers breached Injective Labs’ official source code '
'repository, injecting malicious code into the company’s npm '
'SDK packages. The compromised packages contained '
'credential-stealing malware designed to exfiltrate '
'cryptocurrency wallet seed phrases and private keys directly '
'from developers’ environments. The attack targeted BIP-39 '
'mnemonic seed phrases, which grant irreversible access to all '
'wallet addresses derived from them, and also sought private '
'keys and credentials stored in developers’ environments.',
'impact': {'brand_reputation_impact': 'Exploitation of trust in official '
'repository',
'data_compromised': 'Cryptocurrency wallet seed phrases, private '
'keys, credentials',
'identity_theft_risk': 'High (irreversible access to wallet '
'addresses)',
'operational_impact': 'Developers advised to migrate funds to new '
'wallets, rotate API keys, and audit '
'production systems',
'payment_information_risk': 'High (private keys and seed phrases '
'compromised)',
'systems_affected': "Developers' environments, production wallets"},
'initial_access_broker': {'entry_point': 'Official source code repository',
'high_value_targets': 'Developers working with '
'production wallets'},
'lessons_learned': 'Verifying package authenticity is insufficient when the '
'official repository is breached. Supply chain security '
'must account for repository-level compromises.',
'motivation': 'Financial gain (cryptocurrency theft)',
'post_incident_analysis': {'corrective_actions': 'Enhanced repository '
'security, developer '
'advisories for credential '
'rotation and wallet '
'migration',
'root_causes': 'Repository-level compromise of '
'official npm SDK packages'},
'recommendations': 'Developers should treat all credentials in compromised '
'environments as exposed, migrate funds to new wallets, '
'rotate API keys, and audit production systems for exposed '
'credentials.',
'references': [{'source': 'Injective Labs official disclosure'}],
'response': {'communication_strategy': 'Official disclosure materials '
'provided to developers',
'containment_measures': 'Official disclosure of affected '
'packages, versions, and exposure period',
'remediation_measures': 'Developers advised to migrate funds to '
'new wallets, rotate API keys, and audit '
'production systems'},
'title': 'Injective Labs npm SDK Compromised in Supply Chain Attack Targeting '
'Crypto Wallets',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Trust in official source repository'}