Login
Sign Up
Woofun AI reports that StepSecurity identified a supply chain attack targeting Injective-related npm packages. Attackers exploited trusted developer permissions to embed backdoors in 18 packages, including sdk-ts v1.20.21. These backdoors masqueraded as "key derivation telemetry" but actually exfiltrated seed phrases and private keys to a malicious gRPC domain upon wallet creation or loading. The compromised version was reverted to the clean v1.20.23 release approximately 49 minutes post-deployment. Users who installed the affected packages during this window must assume their wallet keys are compromised and take immediate remedial action.