- The infection includes at least 10 major crypto-related packages connected to the ENS ecosystem.
- A prior NPM attack in early September resulted in the theft of $50 million in cryptocurrency.
- Researchers discovered more than 25,000 affected repositories during their investigation.
A new wave of NPM infections has alarmed the JavaScript community as the Shai Hulud malware continues to spread through hundreds of software libraries.
Aikido Security confirmed that over 400 NPM packages were compromised, including at least 10 widely used packages in the crypto ecosystem.
The scope of the problem puts developers under immediate pressure to assess their exposure, particularly those working with blockchain tools and applications.
The disclosure was published on Monday when Aikido Security released a detailed list of contaminated libraries after investigating unusual behavior on NPM.
A separate post from researcher Charles Eriksen also highlighted the list of infected packages on X and called out key ENS packages involved in the incident.
The infections appear to be part of an active supply-chain attack that has unfolded over recent weeks, contributing to a growing pattern of security incidents in the JavaScript ecosystem.
Threat Exceeds Previous NPM Attacks
The spike in infections follows a major NPM compromise from early September. That earlier incident culminated in attackers stealing approximately $50 million in cryptocurrencies, making it one of the largest supply-chain incidents directly tied to the theft of digital assets.
According to Amazon Web Services, the incident was followed within the week by the discovery of Shai Hulud, which began autonomously spreading between projects.
While the initial September attack specifically targeted crypto assets, Shai Hulud behaves differently. It focuses on harvesting credentials from any environment that downloads an infected package. If wallet keys are present, they are treated like any other secret and exfiltrated.
This behavioral shift broadens the reach of the current incident.
Rather than targeting a single asset class, the malware embeds itself into developer workflows and traverses dependency chains, increasing the risk of accidental exposure across both crypto and non-crypto projects.
ENS Packages Heavily Impacted
The crypto packages flagged in the latest review show a clear concentration around the Ethereum Name Service ecosystem. Several ENS-related libraries appear in the list of compromised packages, many of which have tens of thousands of weekly downloads.
These include content-hash, address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts.
To support his findings, Eriksen shared a detailed thread on X describing the compromised ENS packages. A follow-up update expanded on the broader spread of infections affecting additional repositories.
Each ENS package supports functionality used across wallet interfaces, blockchain applications, and tools that convert human-readable names to machine-readable formats.
Their popularity means the impact can extend beyond direct maintainers to downstream developers who rely on them for critical operations.
A separate crypto-related library, crypto-addr-codec, was also identified among the compromised packages. Although not ENS-specific, it is used in wallet-related processes and has high weekly traffic, making its contamination a priority for security review.
Growing Impact Across Non-Crypto Software
The spread is not limited to digital-asset tools. Several non-crypto libraries were also affected, including packages associated with the workflow automation platform Zapier.
Some of these packages report weekly downloads well above forty thousand, indicating the malware reached parts of the JavaScript ecosystem not directly tied to blockchain activity.
Later updates highlighted libraries with even wider distribution—one package showed nearly seventy thousand weekly downloads, and another reported over 1.5 million weekly downloads—revealing a far broader reach than initial reports suggested.
The rapid expansion drew attention from other security teams. Researchers at Wiz reported identifying more than 25,000 affected repositories linked to roughly 350 users.
They also noted that in early stages of the investigation, about a thousand new repositories were being added every thirty minutes.
This rate of growth demonstrates how quickly supply-chain contamination can accelerate as packages replicate across dependency networks.
Developers using NPM are advised to perform immediate checks, validate environments, and scan for potential exposures.
Because dependency chains span multiple industries, teams outside the crypto sector can unknowingly incorporate infected packages into their projects.