Major Supply-Chain Attack Targets Crypto-Related Software Packages
A significant JavaScript supply-chain attack has compromised over 400 software packages, including at least 10 heavily used within the cryptocurrency ecosystem. The breach was uncovered by cybersecurity firm Aikido Security, highlighting the evolving threat landscape faced by developers and users alike.
In a detailed blog post, researcher Charlie Eriksen outlined the scope of the infection, identifying packages infected with the “Shai Hulud” malware—an autonomous, self-replicating strain designed to spread across developer environments. Eriksen confirmed the validity of each detection to prevent false positives. Many of these packages are responsible for critical functions, with some receiving tens of thousands of weekly downloads, emphasizing the widespread potential impact.
Of particular concern are the affected packages associated with the Ethereum Name Service (ENS), which facilitate human-readable blockchain addresses. Notable among these are ENS’s content-hash, with nearly 36,000 weekly downloads, and address-encoder, with over 37,500 weekly downloads. Other ENS packages, such as ensjs, ens-validation, ethereum-ens, and ens-contracts, are also compromised. A separate package, crypto-addr-codec, unrelated to ENS, with nearly 35,000 weekly downloads, was also affected.
This incident is part of a broader trend of supply-chain attacks. In September, the largest NPM attack to date resulted in approximately $50 million stolen from crypto assets. Amazon Web Services highlighted that this incident was followed by the spread of the Shai-Hulud worm, which replicated itself across environments post-initial breach.
Unlike previous targeted thefts, Shai Hulud primarily acts as a credential-stealer, spreading autonomously and harvesting wallet keys and other secrets stored within infected environments. This capability poses a significant threat to the security of blockchain assets if such secrets are stored insecurely.
Scope of the Affected Packages
Among the impacted packages, at least 10 are directly related to cryptocurrency functions, predominantly tied to the ENS ecosystem. Packages such as content-hash, with nearly 36,000 weekly downloads, and address-encoder, exceeding 37,500 downloads, are critical components used by developers to handle address and name resolution. Other key packages affected include ensjs, ens-validation, ethereum-ens, and ens-contracts.
Beyond crypto, several non-crypto packages are compromised, including popular tools from Zapier, like @zapier/secret-scrubber, with over 40,000 weekly downloads. Eriksen warned that affected packages with high download volumes, some approaching 70,000 weekly downloads, underscore the widespread reach of the malware.
Researchers from Wiz estimate that over 25,000 repositories across hundreds of users have been impacted, with new compromised repositories added every 30 minutes. The cybersecurity community urges immediate investigations and remediation efforts for any environment utilizing npm packages.
