A significant supply-chain attack targeting JavaScript has compromised hundreds of software packages, with at least 10 widely used within the cryptocurrency ecosystem affected, according to new research from cybersecurity firm Aikido Security.
Charlie Eriksen, a researcher at Aikido Security, shared details of the attack, identifying over 400 packages exhibiting signs of infection with "Shai Hulud," a self-replicating malware. This malware is part of an ongoing JavaScript NPM library supply chain attack. Eriksen emphasized that each detection was validated to prevent false positives.
Many of the compromised cryptocurrency-related packages experience tens of thousands of downloads weekly and are dependencies for numerous other software packages. Eriksen also alerted the Ethereum Name Service (ENS) team, indicating that several of their packages are impacted by this attack.
The Shai Hulud malware is part of a larger trend of supply chain attacks. In early September, the largest reported NPM attack to date saw hackers steal $50 million in crypto. Amazon Web Services noted that this initial attack was followed by the Shai-Hulud worm, which began spreading autonomously just a week later.
Unlike the previous attack, which directly targeted cryptocurrency to steal assets, Shai-Hulud functions as a general-purpose credential-stealing malware. It spreads autonomously across developer infrastructure and will steal wallet keys if they are present in the infected environment, treating them as any other credential.
Affected Cryptocurrency Packages
Among the compromised packages, at least 10 are specifically related to the cryptocurrency industry, with a significant number tied to the ENS, a service that provides human-readable addresses. These include ENS's content-hash, which has nearly 36,000 weekly downloads and is a dependency for 91 other software packages, and address-encoder, with over 37,500 weekly downloads.
Other affected ENS packages include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). Additionally, a cryptocurrency-related package not associated with ENS, named crypto-addr-codec, was also compromised, with almost 35,000 downloads.
Popular Non-Cryptocurrency Packages Affected
The attack also impacted popular non-cryptocurrency packages. Some packages from the corporate automation platform Zapier are affected, including one with over 40,000 weekly downloads, with many others close behind. Eriksen has pointed to other infected packages, some with nearly 70,000 weekly downloads, and one package, posthog-node, which sees well over 1.5 million weekly downloads.
Eriksen stated on X that the scope of this new Shai Hulud attack is "frankly massive," with the team still working to confirm all affected packages. He further commented that it would make the previous attack appear insignificant in comparison.
It’ll make the previous attack look like nothing.
Researchers from cybersecurity firm Wiz reported observing over 25,000 affected repositories across approximately 350 unique users. They noted that around 1,000 new repositories are consistently being added every 30 minutes in the hours leading up to their report. The company strongly recommends immediate investigation and remediation for any environment utilizing npm.