- Infections include at least 10 major crypto-related packages linked to the ENS ecosystem
- A prior NPM attack in early September resulted in $50 million in crypto theft
- Researchers found more than 25,000 affected repositories during their investigation
A new wave of NPM infections has alarmed the JavaScript community as the Shai Hulud malware continues to spread across hundreds of software libraries.
Aikido Security confirmed that more than 400 NPM packages were compromised, including at least 10 widely used packages within the crypto ecosystem.
The scale of the issue has placed immediate pressure on developers to assess risk, especially those working with blockchain tools and applications.
The disclosure came on Monday when Aikido Security published a detailed list of contaminated libraries after reviewing unusual behavior observed in NPM.
A separate post by researcher Charles Eriksen (on X) also highlighted the infection listings and drew attention to key ENS-related packages involved in the incident.
The infections appear to be linked to an ongoing supply-chain attack that began in recent weeks, adding momentum to an escalating pattern of security incidents within the JavaScript ecosystem.
Threat Extends Beyond Previous NPM Attacks
The renewed wave of infections followed a major NPM compromise in early September that culminated in attackers stealing roughly $50 million in cryptocurrency, making it one of the largest supply-chain incidents tied directly to digital asset theft.
According to Amazon Web Services, the follow-up attacks emerged within a week and involved the Shai Hulud worm, which began propagating automatically across projects.
While the initial September incident directly targeted crypto assets, Shai Hulud’s later behavior differs: it focuses on harvesting credentials and environment data from any system that downloads an infected package. If wallet keys exist in that environment, the malware treats them as high‑value secrets and exfiltrates them.
This behavioral shift broadens the scope of the intrusion.
Instead of targeting a single objective, the malware embeds itself into developer workflows and travels through dependency chains, increasing the chance of inadvertent exposure in both crypto and non-crypto projects.
ENS Packages Hit Hard
The crypto packages identified in the latest review reveal a clear concentration on the Ethereum Name Service (ENS) ecosystem. Multiple ENS-related libraries—some with tens of thousands of weekly downloads—appear on the list of compromised packages.
These include content-hash, address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts.
To support these findings, Eriksen shared a detailed post summarizing the ENS packages that were compromised. Shortly after, a second X update from Eriksen expanded the scope of the infection, identifying additional affected repositories.
Each ENS package supports functions used in wallet interfaces, blockchain applications, and tools that convert human-readable names into machine-readable formats.
Their popularity means the impact could ripple beyond direct maintainers to downstream developers who depend on these libraries for core operations.
A separate crypto library, crypto-addr-codec, was also identified among compromised packages. Although not ENS-specific, it is used in wallet-related processes and has high weekly usage.
Wider Impact on Non-Crypto Software
The spread is not limited to crypto tooling. Several non-crypto libraries were also affected, including a package tied to the automated workflow platform Zapier (@zapier/secret-scrubber).
Some of these compromised packages report weekly downloads exceeding forty thousand, indicating the malware reached parts of the JavaScript ecosystem unrelated to blockchain activity.
Later posts highlighted libraries with even higher distribution—one package showed nearly seventy thousand downloads per week, while another logged more than 1.5 million weekly hits—reflecting a broader footprint than initial reports suggested.
The rapid expansion drew attention from other security teams as well. Researchers at Wiz reported they identified over 25,000 affected repositories linked to roughly 350 users.
Wiz also noted that investigators observed about one thousand newly affected repositories every thirty minutes during the early phase of their analysis.
This rate of growth demonstrates how quickly supply-chain contamination can accelerate when packages propagate through networks of dependencies.
Developers working with NPM are advised to perform immediate audits, inspect their environments, and scan for potential compromise indicators.
Because dependency chains span many industries, teams outside the crypto sector can inadvertently incorporate infected packages into their projects.