Socket Flags Malicious Code Inserted Into Injective npm Package
AI Market Summary
Socket flagged a supply-chain compromise of Injective's @injectivelabs/sdkts npm package, where attackers injected code to exfiltrate private keys/seed phrases and routed data to a spoofed endpoint. With ~50k weekly downloads and the malicious version pinned across 17 related packages, the incident elevates ecosystem security risk, potentially suppressing near-term confidence in Injective-linked tooling and dApp activity until remediation and audits are completed.
Impact level
● Medium
Affected assets
INJ/USDT+0.98%
AI Insight · INJ/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Security firm Socket said it identified a supply-chain compromise involving the Injective blockchain's npm package @injectivelabs/sdkts, according to Cointelegraph. The firm reported that attackers gained access to a developer's GitHub account and pushed changes that added code intended to steal wallet private keys and seed phrases. The exfiltrated data was then sent to a server posing as a legitimate Injective network endpoint. The package sees about 50,000 downloads per week. Socket said the malicious release, version 1.20.21, included suspicious commits beginning June 8 and that the compromised version was also pinned as a dependency in 17 other packages under the Injective Labs npm scope.