Jul 13, 2026 · 5:55 AM
Subscribe
Home Business

Two npm attacks in four days show crypto's weak point is the supply chain

Two separate npm supply chain attacks hit within days of each other in July 2026, one compromising a widely used Injective blockchain SDK to steal wallet keys, the other hijacking a security vendor's own package to drop an infostealer. Neither touched a blockchain directly, both went after developer machines instead.

Janet Harrison
· 4 min read · 94 views
Two npm attacks in four days show crypto's weak point is the supply chain

A crypto SDK and a security vendor both got hijacked on npm within days of each other in July 2026. Neither attack touched a blockchain. Both went straight for the developer's machine instead.

On July 8, someone slipped a malicious commit into the GitHub repository behind @injectivelabs/sdk-ts, a TypeScript SDK used to build on the Injective blockchain and pulled roughly 175,000 times a month. The commit came from an account with a real history of contributions to the project, according to Datadog Security Labs, which meant it didn't trip the usual alarm bells. Version 1.20.21 shipped with code hooked into the SDK's wallet functions, PrivateKey.fromMnemonic and PrivateKey.fromHex, the exact functions a wallet calls the moment it needs to turn a seed phrase into a usable key.

That's the moment the malicious code grabbed it.

The theft was disguised as telemetry. Datadog's researchers found that stolen mnemonics and private keys were base64-encoded and stuffed into the X-Request-Id header of outbound HTTP requests, riding alongside what looked like a routine gRPC-web call. No install script triggered it. The code ran at runtime, when a wallet actually derived a key, not when the package installed. That detail matters more than it sounds. Developers who run npm install --ignore-scripts as a defense against supply chain attacks would have installed this package clean and still gotten robbed the first time they used it.

The response was fast. Injective's team caught the bad commit and shipped version 1.20.23 within roughly 49 minutes, according to the company and confirmed by Bleeping Computer. The tainted version had been downloaded 310 times, and it had also auto-propagated into 18 related @injectivelabs packages that pinned the compromised SDK as a dependency, according to StepSecurity. No funds were reported lost. Fifty minutes is not a long window. It was still long enough to reach hundreds of machines.

Then a security vendor got hit too

Three days later, on July 11, the npm package for Jscrambler, a JavaScript obfuscation and security vendor with about 15,800 weekly downloads, started shipping malware. According to Socket.dev and The Hacker News, an attacker used a stolen publishing credential to push version 8.14.0, which carried a preinstall hook wiring in a 7.8MB file disguised as intro.js. It wasn't JavaScript. It was three gzip-compressed native binaries, one each for Windows, macOS, and Linux, and the install script picked the right one, wrote it to a random filename in the temp directory, and launched it detached with its output hidden.

The payload, a Rust-compiled infostealer, went after cloud credentials from AWS, Azure, and Google Cloud, npm and GitHub tokens, Bitwarden vaults, and configuration files from AI coding tools including Claude Desktop and Cursor, according to Socket's writeup. Socket flagged the release just six minutes after it hit the registry. That's fast detection. It didn't matter much, because the attacker pushed five malicious releases across three hours before a clean version, 8.15.0, replaced it at the top of the listing. Version 8.14.0 itself was never pulled from npm. Any lockfile still pinned to it keeps installing the stealer today.

The pattern smart contract audits were never built to catch

Put the two incidents side by side and a pattern shows up that smart contract audits were never built to catch. Neither attack exploited a blockchain, a bridge, or a DeFi protocol. Both went after the software supply chain that developers trust by default, the thing you pull in with a single install command and rarely read line by line. And in the Jscrambler case, the company being impersonated by its own package was itself a security vendor, one whose entire business is protecting other people's code.

Attackers are also getting smarter about evasion, not just speed. The Injective breach worked precisely because the theft happened at runtime instead of install time, dodging the --ignore-scripts protection that's become standard advice in dev-tooling circles. Encoding stolen data into an HTTP header instead of a request body is the same instinct: hide the exfiltration inside traffic that looks routine to anyone watching for large or unusual payloads.

Frankly, the lesson from this month isn't that crypto projects need better audits. It's that anyone running npm install on a machine holding real credentials, wallet or otherwise, is trusting a supply chain that a compromised GitHub account or a single stolen publishing token can turn hostile in minutes.

Also read: A $250 Deposit Just Drained $9 Million From Hedera's Biggest Lending ProtocolOratomic raises 300 million dollars just 100 days after leaving stealthRobinhood Lets AI Agents Trade Your Crypto Around the Clock Now

TOPICS
Janet Harrison has over 16 years experience in the financial services industry giving her a vast understanding of how news affects the financial markets, and an early adopter of blockchain technology and digital currencies. Janet is an active holder and trader spending the majority of her time analyzing blockchain projects, reports and watching new and upcoming projects and other initiatives in the industry. She has a Masters Degree in Economics with previous roles counting Investment Banking.
Related Articles
More posts →
Loading next article…
You're all caught up