Injective SDK Compromise: Fake Telemetry Stole Wallet Keys via Compromised npm Packages

A compromised Injective SDK (injectivelabs/sdk-ts) was used to expose private keys and seed phrases through fake telemetry. Security firm Socket reports that version 1.20.21 of @injectivelabs/sdk-ts was altered after a developer’s GitHub account was compromised. The malicious package was downloaded more than 300 times and later pinned across 17 related Injective Labs npm packages under the Injective scope. The Injective SDK malware intercepted wallet key-generation functions, recorded private keys and recovery phrases, then encoded and sent the data to a lookalike web address designed to resemble an Injective server. Socket warns: any keys or mnemonics processed through the affected Injective SDK packages should be treated as compromised, even if an application did not install the SDK directly (because the tainted code spread through dependencies). CertiK data referenced in the article says wallet compromises were the costliest crypto attack method in H1 2026, with $444 million stolen across 33 cases. Injective said the affected npm releases were deprecated and the issue is fixed, and it did not report funds at risk on-chain (Socket did not confirm whether assets were stolen). This is a supply-chain attack targeting developer tooling—highlighting broader malware distribution via GitHub and npm—rather than attacking blockchain cryptography or smart contracts.
Bearish
This is a wallet-key compromise risk, not a mere code-quality issue. Even if Injective says no on-chain funds are confirmed at risk, the report suggests real exposure of private keys/seed phrases via the Injective SDK supply chain (fake telemetry + dependency spread across 17 packages). Historically, such incidents often trigger short-term de-risking by exchanges and users, potential throttling of integrations, and a risk premium on the affected ecosystem token(s). In the short term, traders may expect negative sentiment, lower spot demand, and higher volatility around Injective-related infrastructure and DeFi positions—especially if any downstream apps acknowledge user exposure. In the longer term, the market impact depends on (1) whether stolen keys are actually confirmed, (2) how quickly dependency scanners and wallets respond, and (3) whether trust in developer tooling around Injective’s stack recovers. Parallels include past npm/GitHub supply-chain malware cases (e.g., attacks aimed at developer workflows rather than protocols), which typically cause immediate credibility damage and can keep prices pressured until incident scope and remediation are clearly verified. Overall, the uncertainty and potential for further contamination make the near-term outlook risk-off (bearish).