Injective Labs disclosed a critical supply chain attack after hackers gained access to a developer account and injected malicious code into @injectivelabs/sdk-ts version 1.20.21, the official software development kit used to build wallets, decentralized exchanges, DeFi applications, trading bots, and payment services on the Injective network.
The compromised package, which receives approximately 50,000 downloads weekly, was propagated through 17 related Injective packages, putting at least 87 dependent packages at risk with a combined download count exceeding 112,000. The malicious code masqueraded as technical telemetry collection and activated whenever users created or connected a wallet, intercpting seed phrases and private keys before transmitting them to attacker-controlled servers.
The infected version remained available for less than one hour but was downloaded approximately 310 times during that window. The breach posed a direct threat to developer tools that could have propagated the malware into wallets, exchanges, DeFi services, and other applications throughout the Injective ecosystem. Injective Labs did not disclose whether any user funds were compromised, though the brevity of the attack's exposure and NPM's rapid response likely limited the number of affected applications.
The incident underscores growing risks in cryptocurrency development supply chains, where compromised upstream packages can distribute malware at scale. Developers using the affected SDK version are advised to upgrade immediately and audit their applications for unauthorized access.