ON July 8, 2026, a supply chain attack targeted the Injective blockchain's npm packages, compromising a trusted developer's account to inject malicious code into 18 software development packages. This backdoor, disguised as analytics code, captured wallet recovery phrases and private keys, exfiltrating them to a remote server. The malicious versions (1.20.21) of these packages were published for only about 49 minutes before being reverted and replaced with clean versions (1.20.23).
Users who installed the affected packages should consider their secrets compromised. The attack highlighted vulnerabilities both in npm and GitHub infrastructure, raising awareness of potential risks in software supply chains.