Socket researchers uncovered a supply chain attack targeting the Injective npm package, with hackers embedding malware to steal wallet keys. The incident specifically impacts developers and applications managing Injective wallet workflows.

Attackers compromised the package by injecting malicious code into an npm release, aiming to exfiltrate private keys during wallet interactions. On-chain activity related to the attack remains under investigation, but no direct price movement for the INJ token has been reported in connection with the breach.

Regulatory implications remain unclear, as the attack focuses on open-source package integrity rather than exchange or DeFi protocol vulnerabilities. The CFTC and SEC have not issued statements on this class of supply chain threats in crypto, though precedent exists for enforcement against negligent code security.

INJ's market capitalization stands at approximately $1.8 billion, ranking it among the top 50 cryptocurrencies. The token saw trading volumes of roughly $150 million in the prior 24 hours, showing no immediate correlation with the security event.

The Injective community has yet to release an official response, while competing layer-1 protocols like Cosmos and Celestia have not commented on potential cross-chain risks. Socket's disclosure underscores the growing attack surface in JavaScript-based Web3 tooling.