Injective Thwarts npm Supply Chain Attack, Says No Funds Were at Risk
Crypto Scams

Injective Thwarts npm Supply Chain Attack, Says No Funds Were at Risk

By Samuel

Injective says the npm supply chain issue was resolved before downloads, with zero user funds at risk or compromised.

Injective said it resolved a potential compromise involving its npm packages after several public security reports. The project said no user funds were at risk during the incident.

The team said internal monitoring detected the issue before any affected package version was downloaded. It then removed the affected versions and released a clean replacement package.

Injective said the malicious package recorded zero downloads before it was deprecated. Therefore, developers using the project’s SDK were not exposed through that package.

The update comes as crypto projects face growing risks from software supply chain attacks. Moreover, Injective said its response prevented user exposure before the issue reached production use.

Injective Responds to npm Package Reports

Injective released a public statement after reports claimed its npm packages may have been compromised. The team said the issue was detected through its own security monitoring systems. It also said the response began immediately after the warning appeared.

The affected package versions were deprecated before developers downloaded them from the registry. Injective then replaced them with a new clean version of the package. This action stopped the suspected package from reaching active development environments.

The project said users did not need to move funds or take emergency action. It also said no wallets, balances, or on-chain applications were affected. The incident remained limited to a blocked software package threat.

No Downloads or Fund Losses Reported

Injective said the malicious package had zero downloads before it was removed. This point supported the project’s statement that no user funds were exposed. The team also said no funds were lost during the event.

The project said the attempted compromise did not reach Injective’s on-chain systems. No smart contracts, applications, or user transactions were affected by the package issue. This kept the event outside the live network environment.

Moreover, Injective described the matter as a supply chain attempt through developer tooling. Such attempts target software packages used by builders and applications. In this case, the team said detection happened before developers pulled the affected version.

Read also: Bullish: New Injective Governance Vote Could Slash $INJ Supply By Half

Injective Adds More Security Measures

Injective said its npm packages are widely used SDK tools across the crypto sector. Because of that, the project said package security remains a main priority. The team also said it has added further protections after the incident.

The project said the new changes are designed to prevent similar attempts from recurring. It did not report any active threat to users after the package replacement. Developers were directed to rely on the updated clean package version.

Injective has also referred to its mainnet record since launch nearly five years ago. The project said no on-chain vulnerability has been successfully exploited during that period. For now, Injective says the npm issue was contained before user exposure occurred.

Samuel

About the Author

Samuel

Leave a Reply