Supply Chain Attack: npm Package Steals Crypto Wallets

A supply chain attack targeting the Injective Protocol SDK on npm — one of the most widely used open-source package repositories in software development — has exposed a growing threat that goes far beyond the cryptocurrency world. Developers unknowingly installed a version of the package that had been quietly modified to steal cryptocurrency wallet credentials, private keys, and sensitive environment variables. If your business relies on any software built by developers who use npm packages, this incident is directly relevant to you.

What Actually Happened in This Supply Chain Attack

The attack worked by compromising a legitimate, trusted software package used by blockchain developers. The malicious code was injected into the package in a way that made it look entirely normal. When developers installed it as part of their project, the hidden code ran silently in the background, harvesting wallet credentials and sending them to attacker-controlled servers. Nobody saw it happening. No alarms fired. The software appeared to work as expected.

This is the defining characteristic of a supply chain attack: the threat does not come through the front door. It hides inside something you already trust. In this case, it was a development tool. In other cases, it might be an accounting plugin, a customer support widget, or a logging library baked into software your team uses every day.

Why SMBs Are More Exposed Than They Realise

Large enterprises often have dedicated security teams reviewing every third-party dependency their developers introduce. Most small and medium businesses do not. If you have a developer, an IT contractor, or even a freelancer building or maintaining your internal tools, they are almost certainly pulling in open-source packages as part of their workflow. That is entirely normal — it is how modern software gets built. But each of those packages is a potential entry point.

What makes stolen credentials from this kind of attack particularly dangerous is where they end up. Harvested data from infostealers and supply chain compromises does not disappear. It gets packaged and sold on dark web markets, uploaded to credential dump forums, or traded privately between threat actors. Long after the original attack is patched and forgotten, your company's API keys, login credentials, or internal environment variables could still be circulating — being tested against your systems by automated bots.

The Credentials You Don't Know Are Stolen Are the Most Dangerous

Most businesses find out about a credential compromise the hard way: a breached account, an unauthorised transaction, or a ransomware note. By that point, the damage is already done. The credentials stolen in supply chain attacks like this one are often not connected to a single dramatic breach event. They come out quietly, surface in infostealer logs weeks later, and get exploited gradually.

This is exactly why monitoring matters more than patching alone. Patching fixes the known vulnerability. Monitoring tells you whether credentials from your environment have already left the building. At Breachrr, we scan breach databases, infostealer dump repositories, dark web markets, public code repositories, and exposed domain infrastructure specifically to surface this kind of silent exposure before it turns into an incident. We look for your business domains, employee email addresses, API patterns, and other digital fingerprints that indicate your data may have been caught in the crossfire of attacks like this one.

What You Should Do Right Now

If your business uses any custom-built software — even a simple internal tool — ask whoever built it which open-source packages are included and whether any of those packages have had security advisories in the past six months. You do not need to understand the code yourself. You just need to ask the question and expect a clear answer.

Beyond that, assume that supply chain attacks are not rare events you can ignore. The npm ecosystem processes billions of package downloads every week. Malicious packages have been discovered in the hundreds over the past few years, and the targeting is getting more sophisticated. Credential theft from these incidents feeds directly into the underground economy that targets businesses of every size.

The most practical step any SMB can take today is to find out what is already exposed. A supply chain attack you cannot see is still doing damage. Run a free audit at breachrr.com/audit to find out whether your business domains or credentials are already showing up in places they should not be.

Want to see if your company is exposed?

Want to see if your company is exposed?

Run a free audit →
Supply Chain Attack: npm Package Steals Crypto Wallets · Breachrr · Breachrr