TL;DR:
- Shai Hulud malware infects over 400 NPM packages, including ten critical ENS and crypto libraries.
- The attack can steal credentials, expose private repositories, and compromise sensitive environment secrets.
- Non-crypto packages are also affected, with experts urging immediate investigation and remediation to prevent further spread.
A major JavaScript supply-chain attack has hit the crypto ecosystem, compromising hundreds of NPM packages, including at least ten widely used in Ethereum Name Service (ENS) projects. Cybersecurity researcher Charlie Eriksen from Aikido Security confirmed that these packages were infected with Shai Hulud malware, a self-replicating worm capable of stealing credentials and spreading autonomously. The malware poses a significant risk to any environment where affected libraries are installed.
Widespread Impact Across Crypto Packages
Among the infected packages, ENS-related libraries are most affected. The content-hash package alone, which has nearly 36,000 weekly downloads and 91 dependent packages, is compromised, alongside address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts. An unrelated crypto package, crypto-addr-codec, with nearly 35,000 downloads per week, was also impacted. These infections threaten the integrity of tools relied on by developers across the crypto ecosystem, potentially exposing sensitive environment secrets if wallet keys or private credentials are present.
Non-crypto packages were also affected. Automation platform Zapier and other widely used libraries with tens of thousands of weekly downloads were compromised, with some packages seeing over 1.5 million weekly downloads. Eriksen described the scale of the attack as “massive”, warning that the worm continuously spreads across repositories, making detection and remediation urgent.
Shai Hulud differs from previous attacks, which targeted cryptocurrency directly to steal assets. Instead, it is a general-purpose credential-stealing malware, capable of harvesting secrets, replicating itself, and even exposing private repositories. Crypto forensics expert Slava Demchuk noted that while there is no evidence of wallet keys being stolen yet, any sensitive secrets in infected environments should be considered exposed, raising alarms about potential downstream risks.
Cybersecurity firm Wiz reported over 25,000 affected repositories, with 1,000 new repositories being added every 30 minutes. The firms recommend immediate investigation and remediation for any developer using npm packages to prevent further compromise. The attack highlights vulnerabilities in the supply-chain model and underscores the need for stricter security protocols in open-source ecosystems.
