Injective software package hit by malicious supply chain attack – Details

ambcryptoPubblicato 2026-07-10Pubblicato ultima volta 2026-07-10

Introduzione

In a software supply chain attack, malicious actors compromised the Injective Labs TypeScript SDK (@injectivelabs/sdk-ts v1.20.21) by uploading a tainted version to the npm registry. The attackers gained access to a legitimate contributor's GitHub account to distribute malicious commits. The compromised package, disguised as a routine update, contained malware that activated only when developers used specific wallet generation functions, stealing private keys and mnemonic seed phrases. This breach impacted approximately 50,000 weekly downloads and spread through transitive dependencies in 17 other Injective packages. While a clean version (v1.20.23) was later released, the malicious package remained accessible. Affected users are advised to rotate credentials, create new wallets, and move their funds.

Software supply chain attacks have become more common, with attackers increasingly targeting trusted developer tools instead of end users.

In the latest incident, attackers compromised a trusted Injective Labs software package to steal developers’ wallet credentials.

Source: Socket

How did Injective SDK attack unfold?

The attacker uploaded a malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, to npm. The package was designed for building Injective applications, creating wallets, and signing transactions.

The attacker then gained access to a legitimate Injective Labs contributor’s GitHub account and distributed malicious commits. One test branch was named “test-backdoor-check.”

Under the guise of telemetry, the attacker published the compromised package to npm.

Instead of collecting usage data, the malware extracted private keys and mnemonic seed phrases. That gave attackers everything needed to recreate and seize victims’ crypto wallets.

On top of that, the compromise spread through transitive dependencies in 17 additional Injective packages that relied on the SDK.

The loophole that led to the breach

The malicious code remained inactive during installation, helping it evade detection.

Instead, it executed only when developers used the fromMnemonic or fromHex wallet generation functions.

Around 50,000 downloads of the compromised package occurred each week. At least 87 other packages also depended on it directly.

The attacker also released 17 additional Injective packages pinned to the compromised SDK version, expanding the attack’s reach.

Source: Socket

What’s more?

Soon after, a clean version, v1.20.23, was made available. However, the compromised version was still available on npm as a deprecated package, and its release artifacts were still available on GitHub.

Hence, to avoid further such incidents, users should rotate all impacted credentials, create new wallets, and move their money.

This coincided with BonkDAO losing $20 million because of a “malicious governance proposal” making them the most recent victim of a crypto hack.


Final Summary

  • The wrongdoer gained access to a legitimate Injective Labs contributor’s GitHub account and used it to distribute malicious commits.
  • Developers were made vulnerable by the attack because of transitive dependencies in 17 additional injective packages.

Domande pertinenti

QWhat was the primary target of the attackers in the Injective software package supply chain attack?

AThe primary target was developers, specifically aiming to steal their wallet credentials, including private keys and mnemonic seed phrases.

QHow did the malicious package, @injectivelabs/sdk-ts v1.20.21, evade initial detection?

AThe malicious code remained inactive during package installation and only executed when developers used specific wallet generation functions, such as fromMnemonic or fromHex.

QWhat was the role of transitive dependencies in this attack?

AThe compromise spread through transitive dependencies, affecting 17 additional Injective packages that relied on the malicious SDK, significantly expanding the attack's reach.

QWhat action did the attacker take after publishing the malicious SDK package to npm?

AThe attacker also released 17 additional Injective packages that were pinned to the compromised SDK version, further distributing the malware.

QWhat measures are recommended for users to protect themselves from the consequences of this attack?

AUsers should rotate all impacted credentials, create new wallets, and move their funds to these new, secure wallets.

Letture associate

After Aave's Exit and TVL's Sharp Fluctuation, Where Does MegaETH's Valuation Anchor Lie?

Following the withdrawal of Aave and a sharp drop in its Total Value Locked (TVL), the valuation of the high-performance DeFi blockchain MegaETH faces scrutiny. Once a highly anticipated project with a fully diluted valuation (FDV) reaching around $2 billion, MegaETH saw its TVL plummet from a May peak of $245 million to just over $30 million in July, a roughly 70% decline. Its native token, MEGA, currently trades around $0.048 with a market cap of approximately $54 million and an FDV of about $480 million. The report identifies a core vulnerability: MegaETH's TVL was heavily dependent on a single protocol, Aave V3, which at its peak contributed around 90% of the chain's TVL. A significant portion of this capital is attributed to leveraged yield-farming strategies involving stablecoins like USDe. When the profitability of these strategies diminished, capital rapidly exited, exposing the lack of diversified, sustainable activity. Three key mismatches between MegaETH's valuation and its fundamentals are highlighted: 1. **Valuation vs. Real Usage:** With an FDV of ~$4.8B but only ~$1M in annualized protocol revenue and ~2,600 daily active addresses, the valuation appears disconnected from current economic activity. 2. **Token Narrative vs. Ecosystem Reality:** Despite its DeFi narrative, nearly 80% of the chain's recent protocol revenue comes from a trading card game, Monster, not from core DeFi applications like Aave. The chain's native stablecoin, USDM, also shows low trading volume and a declining market cap. 3. **Short-Term Hype vs. Long-Term Delivery:** Initial hype from token generation, blue-chip integrations, and influencer support has faded. Major protocols like Uniswap now hold minimal TVL on the chain, indicating that early capital was largely transient and driven by incentives rather than organic demand. The situation reflects a broader market trend where investors are becoming less tolerant of valuations based on inflated TVL and narrative, demanding clearer evidence of sustainable transactions, revenue, and ecosystem development. While MEGA's price may experience short-term rebounds from market sentiment, a fundamental re-rating likely depends on the team's ability to convert its remaining resources into tangible, user-retaining applications and genuine ecosystem growth.

链捕手1 h fa

After Aave's Exit and TVL's Sharp Fluctuation, Where Does MegaETH's Valuation Anchor Lie?

链捕手1 h fa

Goldman Sachs In-Depth Report: Who Will Be the Long-Term Winners in China's AI Large Model Industry?

Goldman Sachs Report: China's AI Models at an Inflection Point China's open-source/open-weight large language models (LLMs) have reached performance parity with top global proprietary models, according to a Goldman Sachs report. This is driven by architectural innovations and higher parameter efficiency, allowing Chinese models to achieve comparable capabilities at 2%-10% the parameter size and significantly lower cost. The market is evolving into a two-tiered structure: a high-end segment (e.g., GLM5.2, Qwen3.7 Max) with premium pricing and a low-end, price-sensitive segment for global SMEs and individual users. Key points: * **Cost & Performance:** Innovations like Mixture of Experts (MoE) enable high performance with smaller models. Projects like Meituan's LongCat 2.0, trained on domestic hardware, highlight progress in tech self-sufficiency. * **Open-Source Strategy:** Most Chinese players use open-source/open-weight models for flexibility and ecosystem growth. However, Goldman notes this may underreport actual deployment and revenue. A shift toward "open-weight + community license" models with revenue sharing (e.g., MiniMax) could improve monetization. * **Market Shift & Global Expansion:** Enterprise AI adoption is shifting from "token maximization" to "ROI-first." International expansion, especially in non-US markets, is a major growth driver. Chinese models are increasingly available on global platforms like AWS Bedrock and Microsoft Copilot. * **Competitive Landscape:** Using a framework based on pricing power, cost advantage, and financial strength, Goldman identifies **Zhipu AI and DeepSeek** as the strongest in foundational text models, and **ByteDance** as the leader in multimodal/video generation. The report maintains Buy ratings on MiniMax and Kuaishou. * **Market Growth:** China's AI model API and subscription revenue is projected to grow from an estimated ¥35 billion in 2026 to ¥879 billion by 2030.

marsbit1 h fa

Goldman Sachs In-Depth Report: Who Will Be the Long-Term Winners in China's AI Large Model Industry?

marsbit1 h fa

Goldman Sachs Deep Dive Report: Who Will Become the Long-Term Winners in China's AI Large Model Industry?

Goldman Sachs Report: Who Will Be the Long-Term Winners in China's AI Large Model Industry? China's AI large model sector is at a historic inflection point. Goldman Sachs argues that the intelligence of Chinese open-source/open-weight models is approaching top global proprietary models. Rapid adoption by domestic enterprises and global SMEs is creating a data flywheel effect that will further drive model iteration. The evolution is summarized as moving from "DeepSeek's cost-efficiency moment last year to GLM's model-intelligence moment this year." Chinese models achieve near-state-of-the-art performance at significantly lower cost, primarily due to architectural innovations like Mixture of Experts (MoE) and higher parameter efficiency. Models like DeepSeek V4 Pro (1.6T params), GLM5.2 (0.7T), and MiniMax M3 (0.4T) are much smaller than global leaders. Recent advancements in coding capability are attributed to better data curation and RLHF. Landmarks like Meituan's LongCat 2.0, trained fully on domestic AI chips, demonstrate progress in hardware stack independence. The market is forming a "two-tiered structure." The high-end tier (e.g., GLM5.2, Alibaba's Qwen3.7 Max) prices around $1 per million tokens, about 10-25% of US top models, with estimated inference gross margins of 10-20%. The low-end tier (priced as low as $0.06-$0.2 per million tokens) targets price-sensitive global SMEs and individuals. MiniMax derives 60-70% of revenue overseas. Goldman forecasts China's AI model API/subscription revenue to grow from an estimated RMB 35bn in 2026 to RMB 879bn by 2030. Most Chinese players adopt open-source/open-weight strategies for deployment flexibility and community feedback, though this limits monetization as deployments on third-party platforms (e.g., Alibaba Cloud) may not generate direct revenue. A shift towards "open-weight + community license" models with revenue-sharing agreements (like MiniMax's approach) could improve unit economics. International expansion, particularly in non-US markets, is the key growth driver. The global enterprise AI paradigm is shifting from "token maximization" to "ROI prioritization." Chinese models are already hosted on major global platforms like AWS Bedrock and are under consideration for integration into Microsoft Copilot. Using a competitive framework based on pricing power, cost advantage, and financial strength, Goldman identifies the strongest players: In foundational text models, Zhipu AI (initiated coverage) and DeepSeek lead. In multimodal/video generation, ByteDance's Seed is the frontrunner, with Kuaishou's Kling and MiniMax's Hailuo also well-positioned. Goldman maintains a Buy rating on MiniMax, citing its attractive valuation.

链捕手1 h fa

Goldman Sachs Deep Dive Report: Who Will Become the Long-Term Winners in China's AI Large Model Industry?

链捕手1 h fa

Trading

Spot
活动图片