A major JavaScript supply-chain attack has compromised hundreds of software packages — including at least 10 used widely across the crypto ecosystem — according to new research from cybersecurity firm Aikido Security.
In a Monday post, Charlie Eriksen, a researcher at Aikido Security, shared the names of over 400 packages that show signs of infection with the “Shai Hulud” self-replicating malware used in an ongoing JavaScript NPM library supply chain attack. Eriksen said he validated each detection to avoid false positives.
Many of the cryptocurrency-related packages involved receive tens of thousands of downloads per week and have numerous other packages that require them to function. In an X post published earlier today, Eriksen also warned the Ethereum Name Service (ENS) team that several of their packages are affected.
Shai Hulud is part of a broader supply chain attack trend. In Early September, the largest NPM attack reported to date saw hackers only steal $50 million of crypto. Amazon Web Services noted that this first attack was followed by the Shai-Hulud worm spreading autonomously just a week later.
While the previous attack directly targeted crypto to steal assets, Shai-Hulud is a general-purpose credential-stealing malware that spreads autonomously across developer infrastructure. If the infected environment contains wallet keys, the malware will steal them as “secrets” like any other credential.
Related: Failed NPM exploit highlights looming threat to crypto security: Exec
Which crypto packages are affected?
Among all the affected packages, at least 10 were specifically related to the cryptocurrency industry, and nearly all were tied to the ENS, a human-readable address name service. Among the affected packages are ENS’s content-hash, with almost 36,000 weekly downloads, and 91 software packages depending on it, as well as address-encoder, with over 37,500 weekly downloads.
Other ENS packages affected include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A cryptocurrency-related package unrelated to ENS, called crypto-addr-codec, was also compromised, with almost 35,000 downloads.
Related: $27 million gone, no private keys exposed: How the BigONE hack happened
Popular non-crypto packages affected
Non-crypto-related packages affected include some offered by the corporate automation platform Zapier, including one with over 40,000 downloads per week and many not far behind. In a subsequent post, Eriksen pointed to other packages that were infected, some with nearly 70,000 weekly downloads, and to another package seeing well over 1.5 million weekly downloads.
“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen wrote on X.
“It’ll make the previous attack look like nothing.“
Researchers at cybersecurity firm Wiz claim to have “spotted over 25,000 affected repositories across ~350 unique users, 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours.” The company recommends “immediate investigation and remediation” for any environment using npm.
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack
