Hackers attempted to inject malicious code into the Injective npm package, aiming to steal private wallet keys from developers and applications using the library. Socket researchers discovered the backdoor before it caused widespread damage.
The attack targeted the npm package ecosystem, where developers download dependencies for blockchain applications. Injective, a layer-one blockchain focused on derivatives trading, maintains packages that developers integrate into wallet management systems. A compromised package could have exposed private keys during wallet operations, giving attackers direct access to user funds.
This represents a supply chain attack. Rather than targeting Injective's protocol directly, attackers went after the development tools that builders rely on. Once installed, the backdoored code would execute silently in production environments, harvesting keys from any wallet interactions.
Socket's discovery prevented the code from reaching developers at scale. The firm specializes in detecting malicious packages across npm, PyPI, and other registries. Their tools flag suspicious permissions requests, network calls to unknown domains, and obfuscated code patterns.
The incident underscores a persistent vulnerability in crypto infrastructure. npm hosts millions of packages with varying security practices. Attackers frequently target popular libraries or typosquat existing ones (registering similar names). A successful compromise can affect thousands of dependent projects.
For Injective specifically, this exposes risk to dApps and wallets built on the chain. Developers relying on official Injective packages must verify package authenticity and watch for suspicious updates. The protocol itself was not breached, but the tooling ecosystem that surrounds it proved attractive to attackers.
This follows a pattern. The XZ Utils backdoor in 2024 similarly targeted a compression library used across Linux systems. Crypto's dependency chains face the same pressures. As adoption grows, so does attacker incentive to compromise foundational tools.
Teams building on Injective or any blockchain should
