
Researchers at Socket discovered a compromised version of the Injective SDK npm package, version 1.20.21, which intercepted wallet seed phrases and private keys.
The incident is linked to the compromise of a developer’s GitHub account. According to Socket, suspicious commits appeared on June 8, 2026.
The malicious release altered key derivation functions, stored private keys and seed phrases, and then sent them via fake telemetry to an address disguised as an Injective server.
Socket also detected version 1.20.21 in 17 other packages within the Injective Labs namespace on npm. This could have affected users who did not install the SDK directly.
Researchers advised treating any keys and seed phrases processed through the affected packages as compromised. According to Socket, the malicious version was downloaded at least 300 times. The hacker attack had not been fully contained at the time of publication.
Injective CEO Eric Chen stated that the issue has been resolved and the affected versions on npm have been marked as deprecated. He assured that funds on the network are not at risk. Socket did not report any confirmed theft of funds.
In July, CertiK analysts reported that wallet compromises were the most costly attack vector in the first half of 2026, with losses amounting to $444.5 million across 33 incidents.
