Npm Supply-chain Attack Compromises Major Ens And Crypto Libraries

A researcher warned that more than 400 NPM libraries, including at least 10 crypto packages mostly tied to ENS, were compromised by Shai Hulud malware.

A major JavaScript supply-chain attack has compromised hundreds of software packages, including at least 10 used widely across the crypto ecosystem, according to research from cybersecurity firm Aikido Security.

In a Monday post, Charlie Eriksen, a researcher at Aikido Security, shared the names of over 400 packages that showed signs of infection with the “Shai Hulud” self-replicating worm malware used in the ongoing JavaScript NPM library supply chain attack. Eriksen said he validated each detection to avoid false positives.

Many of the cryptocurrency-related packages involved receive tens of thousands of downloads per week and have numerous other packages that require them to function. In an X post published earlier Monday, Eriksen also warned the Ethereum Name Service (ENS) team that several of their packages were affected.

Shai Hulud is part of a broader supply chain attack trend. In Early September, the largest NPM attack reported to date saw hackers steal $50 million of crypto. Amazon Web Services noted that this first attack was followed by the Shai Hulud worm spreading autonomously a week later.

While the previous attack directly targeted crypto to steal assets, Shai Hulud is a general-purpose credential-stealing malware that spreads autonomously across developer infrastructure. If the infected environment contains wallet keys, the malware will steal them as “secrets” like any other credential.

Slava Demchuk, CEO of crypto forensics firm AMLBot, told Cointelegraph that “once a system is infected, the worm harvests secrets, replicates itself, makes private repositories public, and then continues to spread.” Any system where a compromised package is installed can be infected, but so far, “there is no mention of wallet keys or other such assets.”

“However, if there are sensitive secrets present in the environment where the infected packages are installed — and those secrets grant access to other systems — assume they have been exposed,” Demchuk warned.

Related: Failed NPM exploit highlights looming threat to crypto security: Exec

Among all the affected packages, at least 10 were specifically related to the cryptocurrency industry, and most were tied to the ENS, a human-readable address name service. Among the affected packages were ENS’s content-hash, with almost 36,000 weekly downloads, and 9

Source: CoinTelegraph