Binance Square
#supplychainattack

supplychainattack

8,164 views
20 Discussing
DRACO CHAIN
·
--
$INJ SDK COMPROMISED — 50,000 WEEKLY DOWNLOADS AFFECTED ⚠️ The @injectivelabs/sdk-ts npm package was maliciously modified after a developer's GitHub account was compromised. Version 1.20.21 contains code that steals wallet private keys and mnemonic phrases, encoding them to a disguised server. With roughly 50,000 weekly downloads and 17 other packages in the same scope also locked, this is a broad supply chain attack. Suspicious commits started June 8th. Have you audited your dependencies? Not financial advice. Always manage your risk. #INJ #SupplyChainAttack #CryptoSecurity #SecurityAlert ⚠️
$INJ SDK COMPROMISED — 50,000 WEEKLY DOWNLOADS AFFECTED ⚠️

The @injectivelabs/sdk-ts npm package was maliciously modified after a developer's GitHub account was compromised. Version 1.20.21 contains code that steals wallet private keys and mnemonic phrases, encoding them to a disguised server.

With roughly 50,000 weekly downloads and 17 other packages in the same scope also locked, this is a broad supply chain attack. Suspicious commits started June 8th. Have you audited your dependencies?

Not financial advice. Always manage your risk.

#INJ #SupplyChainAttack #CryptoSecurity #SecurityAlert

⚠️
30 MALICIOUS NPM PACKAGES TARGETING $ETH DEVELOPERS FOUND 🔥 A coordinated supply chain attack has been uncovered, using a fake trading bot repository and a DeFi-themed npm package to inject a JavaScript information stealer. The scope includes 30 malicious packages, with stake-math@3.5.4 pinned as a dependency in a repo that spawned roughly 2,300 nearly identical forks — a clear automation red flag. Sensitive data in the line of fire: wallet libraries, private keys, mnemonics, API tokens, and stored browser credentials. If you’ve run npm install recently on any project connected to DeFi or trading bots, your environment may already be compromised. Are you auditing your dependencies today? Not financial advice. Always manage your risk. #ETH #SecurityAlert #DeFi #SupplyChainAttack 🔥
30 MALICIOUS NPM PACKAGES TARGETING $ETH DEVELOPERS FOUND 🔥

A coordinated supply chain attack has been uncovered, using a fake trading bot repository and a DeFi-themed npm package to inject a JavaScript information stealer. The scope includes 30 malicious packages, with stake-math@3.5.4 pinned as a dependency in a repo that spawned roughly 2,300 nearly identical forks — a clear automation red flag.

Sensitive data in the line of fire: wallet libraries, private keys, mnemonics, API tokens, and stored browser credentials. If you’ve run npm install recently on any project connected to DeFi or trading bots, your environment may already be compromised. Are you auditing your dependencies today?

Not financial advice. Always manage your risk.

#ETH #SecurityAlert #DeFi #SupplyChainAttack

🔥
Polymarket Vendor Compromised — Attackers Drained $2.9M From Wallets A supply chain attack hit Polymarket over the weekend. A malicious script injected into the frontend drained roughly $2.9 million before the team shut it down. This is not a smart contract exploit. Attackers targeted Polymarket's software supply chain rather than core infrastructure. Supply chain attacks hide in trusted third-party code, making them harder to spot. Polymarket confirmed all affected users will receive full refunds. The team isolated the breach quickly. But the incident highlights how platforms relying on external services expose attack surfaces beyond smart contracts. Prediction markets have drawn massive attention this year. This breach tests whether platforms can maintain trust as they scale. Security audits of third-party dependencies may need to become standard practice. Should decentralized platforms audit their software dependencies more aggressively? The industry is watching. $BTC $ETH $SOL #Polymarket #SupplyChainAttack #Crypto
Polymarket Vendor Compromised — Attackers Drained $2.9M From Wallets

A supply chain attack hit Polymarket over the weekend. A malicious script injected into the frontend drained roughly $2.9 million before the team shut it down.

This is not a smart contract exploit. Attackers targeted Polymarket's software supply chain rather than core infrastructure. Supply chain attacks hide in trusted third-party code, making them harder to spot.

Polymarket confirmed all affected users will receive full refunds. The team isolated the breach quickly. But the incident highlights how platforms relying on external services expose attack surfaces beyond smart contracts.

Prediction markets have drawn massive attention this year. This breach tests whether platforms can maintain trust as they scale. Security audits of third-party dependencies may need to become standard practice.

Should decentralized platforms audit their software dependencies more aggressively? The industry is watching. $BTC $ETH $SOL
#Polymarket #SupplyChainAttack #Crypto
$INJ SDK BACKDOOR – 310 DOWNLOADS OF MALICIOUS CODE BEFORE FIX 🔥 A tainted version of Injective's core TypeScript package was live for under an hour on npm, silently exfiltrating wallet seed phrases and private keys. The malicious release spread across 18 packages and was downloaded 310 times before being pulled. Security firm Socket confirmed the compromise originated from a hijacked GitHub contributor account. The rogue code disguised itself as analytics and sent stolen keys to a server mimicking legitimate Injective infrastructure. Any key that passed through version 1.20.21 should be treated as compromised. Are your projects running the affected @injectivelabs/sdk-ts package? Not financial advice. Always manage your risk. #INJ #SecurityAlert #CryptoAlert #WalletSafety #SupplyChainAttack 🔥
$INJ SDK BACKDOOR – 310 DOWNLOADS OF MALICIOUS CODE BEFORE FIX 🔥

A tainted version of Injective's core TypeScript package was live for under an hour on npm, silently exfiltrating wallet seed phrases and private keys. The malicious release spread across 18 packages and was downloaded 310 times before being pulled.

Security firm Socket confirmed the compromise originated from a hijacked GitHub contributor account. The rogue code disguised itself as analytics and sent stolen keys to a server mimicking legitimate Injective infrastructure. Any key that passed through version 1.20.21 should be treated as compromised.

Are your projects running the affected @injectivelabs/sdk-ts package?

Not financial advice. Always manage your risk.

#INJ #SecurityAlert #CryptoAlert #WalletSafety #SupplyChainAttack

🔥
Log in to explore more content
Join global crypto users on Binance Square
⚡️ Get latest and useful information about crypto.
💬 Trusted by the world’s largest crypto exchange.
👍 Discover real insights from verified creators.
Email / Phone number