- A widespread JavaScript supply-chain attack has infected over 400 npm packages with the “Shai Hulud” Malware.
- At least 10 compromised packages are widely used in the cryptocurrency ecosystem, notably those linked to the Ethereum Name Service (ENS).
- Shai Hulud is a credential-stealing malware that spreads autonomously across developer infrastructures.
- Popular non-crypto packages, including some from Zapier, are also affected.
- Cybersecurity firms highlight the urgent need for investigation and remediation for environments using npm.
A new JavaScript supply-chain attack has compromised more than 400 software packages, including at least 10 heavily used in the cryptocurrency sector. The ongoing infection, driven by the “Shai Hulud” malware, was revealed on Monday by researcher Charlie Eriksen from cybersecurity firm Aikido Security, who confirmed each case to avoid false positives. Several affected packages are integral to the Ethereum Name Service (ENS), a service providing human-readable blockchain addresses.
The “Shai Hulud” malware is a self-replicating worm that spreads automatically within npm libraries, targeting developer environments to steal credentials, including wallet keys if present. This malicious activity follows an earlier npm attack in early September that resulted in the theft of about $50 million in cryptocurrency. According to Amazon Web Services, Shai Hulud emerged soon after, representing a shift toward general-purpose credential theft rather than direct asset theft, as noted in their security blog.
Among the crypto packages infected are ENS-related ones such as content-hash with nearly 36,000 weekly downloads and 91 dependent packages, address-encoder with over 37,500 weekly downloads, ensjs, ens-validation, ethereum-ens, and ens-contracts. An additional crypto package, crypto-addr-codec, with around 35,000 weekly downloads, was also compromised. Eriksen warned the ENS team about these vulnerabilities on his X post.
Non-cryptocurrency packages hit include some offered by Zapier, with downloads up to around 40,000 weekly. Other infected packages mentioned by Eriksen include ones with close to 70,000 weekly downloads and a package called posthog-node, which sees over 1.5 million downloads weekly. Cybersecurity firm Wiz reported identifying more than 25,000 affected repositories involving roughly 350 unique users and noted that about 1,000 new infected repositories are added every 30 minutes. Wiz urges immediate action to investigate and remediate npm environments, as detailed in their blog post.
“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen wrote on X. “It’ll make the previous attack look like nothing.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- China Surpasses Reports, Buys Record Gold to Challenge USD
- Bitcoin Rises to $86.7K Amid Rate Cut Hopes; Grayscale ETFs Approved
- Grayscale Launches Dogecoin and XRP ETFs Amid Crypto Market Slump
- NYSE Approves Grayscale DOGE and XRP ETFs Launch Monday
- Strategy Stock Falls 14.6% Amid MSCI Index Risk, Saylor Defiant
