StepSecurity npm Supply Chain Attack Compromises 18 Injective Packages
2026-07-10 11:59

Woofun AI reports that StepSecurity identified a supply chain attack targeting Injective-related npm packages. Attackers exploited trusted developer permissions to embed backdoors in 18 packages, including sdk-ts v1.20.21. These backdoors masqueraded as "key derivation telemetry" but actually exfiltrated seed phrases and private keys to a malicious gRPC domain upon wallet creation or loading. The compromised version was reverted to the clean v1.20.23 release approximately 49 minutes post-deployment. Users who installed the affected packages during this window must assume their wallet keys are compromised and take immediate remedial action.

Disclaimer: Views are the author's own and do not represent the platform. Do not reproduce without permission. Content is for reference only, not investment advice. Trade at your own risk.
Tags:
Injective
StepSecurity
sdk-ts
Foresight News
Share:
back