Quick Breakdown
- Over 400 JavaScript packages found infected with the self-replicating “Shai Hulud” malware.
- At least 10 widely used crypto-related packages, mostly tied to Ethereum Name Service, were compromised.
- Researchers warn the attack is rapidly escalating, adding 1,000 infected repositories every 30 minutes.
Massive NPM malware outbreak exposes crypto developers
A sweeping JavaScript supply-chain attack has compromised hundreds of open-source packages, including several foundational tools used across the crypto ecosystem, according to new research from cybersecurity firm Aikido Security.
Shai Hulud also compromised these packages:
– @ensdomains/ens-validation
– @ensdomains/content-hash
– ethereum-ens
– @ensdomains/react-ens-address
– @ensdomains/ens-contracts
– @ensdomains/ensjs
– @ensdomains/ens-archived-contracts
– @ensdomains/dnssecoraclejs@ensdomains— Charlie Eriksen (@CharlieEriksen) November 24, 2025
The malware, known as “Shai Hulud,” was discovered embedded in more than 400 NPM libraries. Aikido researcher Charlie Eriksen said each detection was manually verified to eliminate false positives, calling the outbreak’s scale “massive.”
Shai Hulud is part of a growing wave of supply-chain attacks targeting developer infrastructure. While an earlier NPM breach in September led to the theft of $50 million in crypto, the new worm is designed for autonomous credential theft, quietly siphoning off secrets, including wallet keys stored on infected machines.
ENS tools among the hardest hit
More than 10 cryptocurrency-related packages have been confirmed compromised. Nearly all are tied to the Ethereum Name Service (ENS), prompting Eriksen to issue a direct warning to the ENS team on X.
Some of the most-downloaded infected libraries include content-hash, address-encoder, ensjs, ethereum-ens, ens-validation and ens-contracts. Another high-volume crypto tool, crypto-addr-codec, was also compromised, averaging nearly 35,000 downloads a week.
Given their deep integration within wallets, dApps, and blockchain infrastructure, the risk of downstream compromise is significant.
High-traffic non-crypto packages also infected
The malware’s reach extends far beyond crypto. Popular packages from corporate automation platform Zapier are among those affected, including one with more than 40,000 weekly downloads.
Eriksen later identified additional infected libraries approaching 70,000 weekly downloads, and one exceeding 1.5 million downloads per week, underscoring how deeply the worm has penetrated the NPM ecosystem.
Researchers warn outbreak is accelerating
Cybersecurity firm Wiz reported detecting over 25,000 infected repositories spanning 350+ users, with roughly 1,000 new compromised repositories appearing every 30 minutes over the past few hours.
The firm urged all developers using NPM to begin immediate audits, dependency checks, and remediation of environments. In April, the XRP Ledger Foundation flagged a critical security vulnerability in its official JavaScript library, a widely used tool for developers to interact with the XRP Ledger blockchain.
If you would like to read more articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
