- The infection contains at least 10 major cryptographic packages linked to the ENS ecosystem.
- A previous NPM attack in early September resulted in $50 million worth of cryptocurrency being stolen.
- Researchers discovered more than 25,000 affected repositories during their investigation.
Shai Hulud A new NPM infection has raised concerns throughout the JavaScript community as malware continues to move through hundreds of software libraries.
Aikido Security confirmed that more than 400 NPM packages were compromised, including at least 10 widely used across the cryptocurrency ecosystem.
The scale of the problem places immediate pressure on developers, especially those using blockchain tools and applications, to assess risk.
The disclosure came on Monday, when Aikido Security released a detailed list of contaminated libraries after reviewing NPM for unusual behavior.
A separate post by researcher Charles Eriksen highlighted X’s list of infections, drawing attention to the key ENS packages involved in the incident.
The infection appears to be linked to active supply chain attacks that have been unfolding in recent weeks, adding momentum to a growing pattern of security incidents within JavaScript infrastructure.
The threat extends beyond previous NPM attacks.
The spike in infections followed a massive NPM breach in early September. The previous incident ended with attackers stealing $50 million worth of cryptocurrency, making it one of the largest supply chain incidents directly linked to digital asset theft.
According to Amazon Web Services, the attack led to the emergence of Shai Hulud within a week, which began to spread autonomously throughout the project.
The first incident in September directly targeted cryptocurrency assets, but Shai Hulud operates differently. It focuses on collecting credentials from any environment where an infected package is downloaded. If the wallet key exists, it is treated like any other secret and extracted.
This change in behavior has led to a wider range of new incidents.
Instead of targeting a single target, malware is integrated into developer workflows and moves through dependency chains, increasing the potential for accidental exposure in both cryptocurrency and non-cryptocurrency projects.
ENS packages are significantly affected
The latest review shows that the affected cryptocurrency packages are clearly focused around the Ethereum Name Service ecosystem. Several ENS-related libraries with tens of thousands of downloads each week appear in the corrupted list.
This includes content-hash, address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts.
To support his findings, Eriksen shared a detailed X post describing the compromised ENS package. Soon after, Eriksen’s second X update expanded the spread of the infection, affecting additional repositories.
Each ENS package supports functionality used across wallet interfaces, blockchain applications, and tools to convert human-readable names into machine-readable format.
Their popularity means their impact can extend beyond direct maintenance personnel to downstream developers who rely on them for core operations.
A separate crypto library, crypto-addr-codec, was also identified among the compromised packages. Although not related to ENS, it is used for wallet-related processes and has high weekly traffic, making contamination another priority area for security review.
Increasing influence over non-crypto software
The proliferation is not limited to digital asset tools. Several non-crypto libraries were also affected, including packages related to workflow automation platform Zapier.
Some of these reports have weekly downloads well over 40,000, indicating that the malware has reached parts of the JavaScript ecosystem unrelated to blockchain activity.
Additional libraries highlighted in later posts demonstrate even higher level deployments. One package received close to 70,000 downloads per week.
Another record shows weekly traffic of more than 1.5 million, reflecting a much wider range than initial reports suggested.
The rapid expansion caught the attention of other security teams. Researchers at Wiz said they identified more than 25,000 affected repositories linked to about 350 users.
They also noted that in the early stages of their investigation, 1,000 new repositories were being added every 30 minutes.
This level of growth shows how quickly supply chain contamination can accelerate when packages are replicated through dependency networks.
Developers using NPM are advised to immediately perform a scan, validate their environment, and search for possible exposure.
Because dependency chains are interconnected across multiple industries, teams outside the cryptocurrency sector can also unknowingly integrate infected packages.