JavaScript Supply-Chain Attack Infects Key Crypto Packages, ENS Libraries Hit Hard

Key Takeaways

• •
  Over 400 JavaScript packages have been found infected with the self-replicating "Shai Hulud" malware.
• •
  At least 10 widely used crypto-related packages, primarily tied to Ethereum Name Service (ENS), were compromised.
• •
  Researchers warn that the attack is rapidly escalating, with approximately 1,000 new infected repositories appearing every 30 minutes.

Malware Infection of NPM Packages

A widespread JavaScript supply-chain attack has compromised hundreds of open-source packages, including several foundational tools utilized across the cryptocurrency ecosystem. This discovery was detailed in recent research from cybersecurity firm Aikido Security.

Shai Hulud also compromised these packages:

– @ensdomains/ens-validation
– @ensdomains/content-hash
– ethereum-ens
– @ensdomains/react-ens-address
– @ensdomains/ens-contracts
– @ensdomains/ensjs
– @ensdomains/ens-archived-contracts
– @ensdomains/dnssecoraclejs@ensdomains

— Charlie Eriksen (@CharlieEriksen) November 24, 2025

The malware, identified as "Shai Hulud," was found embedded in more than 400 NPM libraries. Aikido researcher Charlie Eriksen confirmed that each detection was manually verified to rule out false positives, describing the scale of the outbreak as "massive."

Shai Hulud is part of an increasing trend of supply-chain attacks targeting developer infrastructure. While a prior NPM breach in September resulted in the theft of $50 million in cryptocurrency, this new worm is designed for autonomous credential theft. It operates by quietly siphoning off sensitive information, including wallet keys stored on infected machines.

Ethereum Name Service (ENS) Tools Heavily Impacted

More than 10 cryptocurrency-related packages have been confirmed as compromised, with nearly all of them linked to the Ethereum Name Service (ENS). This situation prompted Eriksen to issue a direct warning to the ENS team on X.

Among the most frequently downloaded infected libraries are content-hash, address-encoder, ensjs, ethereum-ens, ens-validation, and ens-contracts. Another high-volume crypto tool, crypto-addr-codec, was also compromised, averaging nearly 35,000 downloads per week.

Due to their extensive integration within wallets, decentralized applications (dApps), and blockchain infrastructure, the risk of downstream compromise is substantial.

Non-Crypto Packages Also Affected

The malware's reach extends significantly beyond the cryptocurrency sector. Popular packages from the corporate automation platform Zapier are among those affected, including one that experiences over 40,000 weekly downloads.

Eriksen later identified additional infected libraries with download counts approaching 70,000 per week, and one exceeding 1.5 million downloads per week. This highlights the deep penetration of the worm within the NPM ecosystem.

Accelerating Outbreak

Cybersecurity firm Wiz reported detecting over 25,000 infected repositories across more than 350 users. Their analysis indicated that approximately 1,000 new compromised repositories were appearing every 30 minutes during the preceding hours.

Wiz urged all developers utilizing NPM to commence immediate audits, dependency checks, and remediation of their environments. In April, the XRP Ledger Foundation flagged a critical security vulnerability within its official JavaScript library, a tool commonly used by developers to interact with the XRP Ledger blockchain.