Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Injective npm Supply Chain Attack: 18 Packages Backdoored to Steal Crypto Wallet Keys

On July 8, 2026, attackers gained access to a trusted developer's npm account and injected backdoored code into 18 packages of the Injective blockchain SDK. The malicious code, disguised as analytics, stole wallet recovery phrases and private keys, exfiltrating them to an attacker-controlled server. The compromise was detected and remediated within an hour.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
18 npm packages related to the Injective blockchain SDK; any application that installed affected packages during the compromise window or from cached copies
Ecosystems
Attack vectors
Affected entities
  • Injective blockchain SDK packages18 related packages compromised via backdoored code

On July 8, 2026, attackers compromised a trusted developer's npm account and used it to inject malicious code into 18 related packages of the Injective blockchain SDK. The backdoor was disguised as harmless analytics functionality but actually captured sensitive wallet data including recovery phrases and private keys.

The malicious code exfiltrated stolen credentials to an attacker-controlled server whenever a wallet was created or loaded. Automatic publishing mechanisms distributed the tainted code across all 18 packages within minutes of the initial compromise.

The backdoored packages remained live for less than an hour before being detected, pulled from npm, and fixed. However, any application that installed the affected packages during the compromise window or subsequently retrieved cached copies may have been affected and should treat any wallet secrets handled by those packages as compromised.

This incident demonstrates the critical risk of account takeover attacks against trusted developers in the cryptocurrency ecosystem, where a single compromised account can rapidly distribute malicious code to multiple dependent packages.

Indicators of compromise

Packages
  • Injective blockchain SDK (18 related packages - specific names not provided in source)

Remediation

  • Immediately revoke and rotate any wallet recovery phrases and private keys that may have been exposed to the affected packages
  • Audit application logs to determine if any of the 18 affected Injective SDK packages were installed during the July 8, 2026 compromise window
  • Clear npm cache and reinstall packages from verified, patched versions only
  • Implement strict package pinning and integrity verification for critical dependencies
  • Enable 2FA and use hardware security keys on all npm accounts with publishing rights
  • Monitor for unauthorized account access and publishing activity on developer accounts
  • Consider using private npm registries with additional access controls for sensitive blockchain-related packages

Sources

  1. Injective npm Supply Chain Attack: 18 Packages Backdoored to Steal Crypto Wallet Keys · StepSecurity

Cite this entry

"Injective npm Supply Chain Attack: 18 Packages Backdoored to Steal Crypto Wallet Keys." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 8, 2026; last updated July 9, 2026. https://supplychainattack.org/incident/injective-npm-supply-chain-attack-18-packages-backdoored-to-steal-crypto-wallet-1wx0ka

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

    TeamPCP conducted a multi-ecosystem supply chain compromise targeting the @antv package and associated development infrastructure. The attack leveraged GitHub, NPM, and VSCode to steal credentials and establish persistence mechanisms.

    TeamPCPnpmOtherAccount takeoverCompromised packageMalicious maintainer
  2. activecritical

    Shai-Hulud: Here We Go Again. Mass npm Supply Chain Attack Hits the AntV Ecosystem

    A new wave of the Mini Shai-Hulud worm has compromised multiple npm packages across Alibaba's AntV data visualization ecosystem, including echarts-for-react and timeago.js. Stolen CI/CD secrets are being exfiltrated and dumped to thousands of public GitHub repositories as the attack spreads.

    Mini Shai HuludnpmOtherCompromised packageAccount takeover
  3. activecritical

    Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope

    The Shai-Hulud worm has hijacked intercom-client@7.0.4 (361,510 weekly downloads) via a compromised GitHub Actions OIDC publishing pipeline, 29 hours after compromising mbt@1.2.48 and @cap-js/sqlite@2.2.2. The worm is actively propagating through CI/CD infrastructure stolen from earlier victims, targeting multi-cloud credentials (AWS, GCP, Azure).

    Shai-HuludnpmOtherCompromised packageBuild-system compromiseAccount takeover
  4. activecritical

    axios Compromised on npm - Malicious Versions Drop Remote Access Trojan

    A maintainer account for the widely-used axios npm package was compromised and used to publish poisoned versions 1.14.1 and 0.30.4. The malicious releases contained a hidden dependency that drops a cross-platform remote access trojan (RAT).

    UNC1069npmAccount takeoverCompromised package