
my wallet anxiety is at an all time high today.
turns out hackers slipped a backdoor into an injective npm package and it was quietly siphoning private keys and seed phrases straight off developers' machines.
disguised as "telemetry." telemetry my ass.
the thing sat there for less than an hour before getting yanked, but that's plenty of time for damage when the payload is literally your master key.
50k weekly downloads on that package. 17 other packages pinned to it. you do the math on the exposure.
and the wildest part is it came through a trusted contributor's github account, not some rando throwaway. that's the scary part of these supply chain attacks in 2026, they don't come through a sketchy dm, they come through the exact person your code already trusts.
i've been staring at my own dependency list like it personally wronged me.
if you touched an injective wallet function this week, rotate your keys now, don't wait, don't overthink it, just do it.
crypto.news reported that the compromised package spread through 17 related injective labs packages before it got pulled.
moral of the story: trust no code, not even the "trusted" kind. 💀🚀