Security firm Socket has uncovered a breach in the npm package @injectivelabs/sdk-ts, used by the Injective blockchain, where hackers inserted malicious code to steal wallet private keys and mnemonics. The attackers compromised a developer's GitHub account to execute the attack, encoding stolen data and sending it to a server disguised as a legitimate Injective network address. The package, which sees approximately 50,000 downloads weekly, had its malicious version 1.20.21 introduced on June 8, affecting 17 other packages within the Injective Labs npm scope. Although Injective CEO Eric Chen confirmed the issue has been resolved and the affected versions deprecated, the malicious package was downloaded over 310 times. Socket warns that the attack has not been fully contained.