JavaScript Supply Chain Attack Imperils Crypto Packages

JavaScript Supply Chain Attack: A Crypto Threat Emerges

In a Monday announcement, Charlie Eriksen, a researcher at Aikido Security, disclosed the names of over 400 packages exhibiting signs of infection by the “Shai Hulud” self-replicating malware, which is being leveraged in an ongoing JavaScript NPM library supply chain attack. Eriksen stated that each detection was validated to minimize false positives.

Several of the impacted cryptocurrency-related packages receive tens of thousands of weekly downloads and are critical dependencies for numerous other packages. Eriksen also alerted the Ethereum Name Service (ENS) team via an X post, indicating that multiple ENS packages were affected.

Shai Hulud is indicative of a broader supply chain attack trend. Earlier in September, the largest reported NPM attack resulted in the theft of $50 million in cryptocurrency. Amazon Web Services noted that the initial attack was quickly followed by the autonomous spread of the Shai-Hulud worm within a week.

While the previous attack directly targeted crypto assets for theft, Shai-Hulud operates as a general-purpose credential-stealing malware, spreading autonomously across developer infrastructure. If the compromised environment contains wallet keys, the malware will exfiltrate them as “secrets,” similar to any other sensitive credential.

Affected Crypto Packages

Among the affected packages, at least 10 are specifically linked to the cryptocurrency industry, with a heavy concentration around ENS, a human-readable address name service. Notable impacted packages include ENS’s content-hash, boasting nearly 36,000 weekly downloads and 91 dependent software packages, and address-encoder, with over 37,500 weekly downloads.

Other affected ENS packages include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A non-ENS-related crypto package, crypto-addr-codec, was also compromised, seeing almost 35,000 downloads.

Popular Non-Crypto Packages Impacted

Affected packages extend beyond the cryptocurrency realm, impacting offerings from corporate automation platform Zapier, including one with over 40,000 weekly downloads and several others not far behind. Eriksen further identified other infected packages, some nearing 70,000 weekly downloads, and another exceeding 1.5 million weekly downloads.

“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen wrote on X.

“It’ll make the previous attack look like nothing.”

Researchers at cybersecurity firm Wiz claim to have “spotted over 25,000 affected repositories across ~350 unique users, 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours.” The company recommends “immediate investigation and remediation” for any environment using npm.