- The infection includes at least 10 significant crypto-related packages tied to the ENS ecosystem.
- A prior NPM attack in early September resulted in roughly $50 million in stolen cryptocurrency.
- Researchers discovered more than 25,000 affected repositories during their investigation.
A new wave of NPM infections has alarmed the JavaScript community as the Shai Hulud malware continues to spread across hundreds of software libraries.
Aikido Security has confirmed that over 400 NPM packages have been compromised, including at least 10 packages widely used within the crypto ecosystem.
The scope of the problem places immediate pressure on developers to assess risk, particularly those working with blockchain tools and applications.
The disclosure was published Monday when Aikido Security released a detailed list of infected libraries after observing unusual behavior across NPM packages.
Researcher Charles Eriksen also shared a separate post highlighting the list of infections he observed on X, calling attention to several key ENS packages involved in the incidents.
The infections appear to be part of an active supply-chain attack campaign that has evolved over recent weeks, adding momentum to an increasing number of JavaScript infrastructure security incidents.
Threat Expands Beyond Earlier NPM Attacks
The recent surge in infections followed a major NPM compromise in early September. That earlier incident culminated in attackers stealing approximately $50 million in cryptocurrency, making it one of the largest supply-chain events directly tied to digital asset theft.
According to Amazon Web Services, the initial breach was quickly followed by the arrival of Shai Hulud, which began propagating autonomously across different projects.
While the September incident targeted cryptocurrency directly, Shai Hulud behaves differently in the current campaign. Its focus is on harvesting credentials and sensitive material from any environment that loads an infected package. If wallet keys are present in that environment, they are treated like any other secret and are exfiltrated.
This behavioral shift broadens the risk profile significantly.
Rather than targeting a single objective, the malware integrates into developer workflows and traverses dependency chains. This increases the chance of accidental exposure across both crypto and non-crypto projects.
ENS Packages Heavily Impacted
The crypto-related packages identified in the latest review show a clear concentration around the Ethereum Name Service ecosystem. Several ENS-related libraries, many with tens of thousands of weekly downloads, appear on the compromised list.
Examples include content-hash, address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts.
To support these findings, Eriksen shared a detailed X post listing the compromised ENS packages. He followed up with another X update that expanded on broader infection spread affecting additional repositories.
Each ENS package supports different wallet integration functions, blockchain applications, and utilities that convert human-readable names into machine-readable formats.
Because these packages are widely used, the impact can extend beyond direct maintainers to downstream developers who rely on them for core functionality.
A separate crypto-related library, crypto-addr-codec, was also identified among the compromised packages. Although not ENS-specific, it participates in wallet-related processes and has substantial weekly traffic, making it another priority for security reviews.
Growing Impact on Non-Crypto Software
The spread is not limited to digital asset tooling. Several non-crypto libraries were also affected, including packages related to the Zapier process automation platform.
Some of these packages report weekly downloads well over forty thousand, indicating the malware has reached parts of the JavaScript ecosystem unrelated to blockchain activity.
Additional libraries highlighted in subsequent analyses show even broader distribution. One package logged nearly seventy thousand weekly downloads, while another recorded more than 1.5 million weekly downloads — a footprint far larger than initial reports suggested.
The rapid expansion has drawn the attention of multiple security teams. Researchers at Wiz reported identifying over 25,000 infected repositories tied to roughly 330 users.
They also observed that roughly a thousand new repositories were added to the investigation during early stages at intervals of about every five to ten minutes.
That rate of growth demonstrates how quickly a supply-chain contamination can accelerate as packages propagate through dependency networks.
Developers working with NPM are urged to perform immediate checks: validate environments, scan for potential exposures, and audit dependency trees for any of the listed compromised packages.
Because dependency chains interconnect teams across many industries, even projects outside the crypto sector may unknowingly integrate infected packages and face elevated risk.