Attackers backdoored the official Injective TypeScript SDK on npm, inserting code into 18 packages that captured wallet private keys and seed phrases during normal key-derivation flows before clean replacements were published roughly 49 minutes later.
Read more...