Researchers at Socket found a compromised version of the Injective SDK npm package, version 1.20.21, which intercepted seed phrases and private wallet keys.
The incident is linked to the compromise of a developer's GitHub account. According to Socket, suspicious commits appeared on June 8, 2026.
The malicious release altered key derivation functions, saved private keys and seed phrases, and then sent them via fake telemetry to an address disguised as an Injective server.
Socket also identified version 1.20.21 in 17 packages within the Injective Labs namespace on npm. This could have affected users who did not install the SDK directly.
Researchers advised treating any keys and seed phrases that passed through the affected packages as compromised. Socket reported that the malicious version was downloaded at least 300 times. By the time of publication, the hacker attack had not been fully contained.
Injective CEO Eric Chen stated that the issue has been resolved, and the affected versions on npm have been marked as deprecated. He assured that funds on the network are not at risk. Socket did not report any confirmed theft of funds.
It’s worth noting that in July, CertiK analysts identified wallet compromises as the most costly attack vector in the first half of 2026, with losses totaling $444.5 million across 33 incidents.
