Massive NPM Supply-Chain Attack Targets ENS-Linked Libraries in Shai Hulud Breach

An enormous JavaScript-based Node Package Manager (npm) supply-chain assault has infiltrated code libraries related to the Ethereum Name Service (ENS) and lots of of older software program packages, with over 10 extensively used throughout the crypto ecosystem, in keeping with cybersecurity agency Aikido Security.

Charlie Eriksen, a malware researcher on the safety agency, disclosed that the supply-chain malware often known as “Shai-Hulud: The Second Coming” has contaminated lots of of packages and greater than 25,000 GitHub repositories.

According to the findings, menace actors have embedded this malicious code into over 490 npm packages with greater than 132 million month-to-month downloads, together with prominent ones from ENS, Zapier, AsyncAPI, Browserbase, and Postman.

Shai-Hulud 2.0: A brand new wave of npm supply-chain assaults concentrating on main packages (Zapier, ENS, PostHog, Postman & extra) is ongoing.

Attackers inject malicious code into revealed variations, triggering throughout pre-install to realize code execution and exfiltrate setting vars,…

— Charles Guillemet (@P3b7_) November 24, 2025

“If a developer installs one in every of these unhealthy packages, the malware quietly runs throughout set up, earlier than something even finishes putting in,” Eriksen stated.

How the Shai-Hulud Supply-Chain Malware Works

As described by Akido safety, the Shai-Hulud malware good points entry to the developer’s machine or cloud setting throughout set up.

It then deploys an automatic device known as TruffleHog to scan for delicate information, together with passwords, API keys, cloud tokens, and GitHub or NPM credentials.

Any found data is then uploaded to a public GitHub repository titled “Shai-Hulud: The Second Coming.”

If the stolen credentials embody entry to code repositories or bundle registries, attackers can leverage them to breach further accounts and distribute extra malicious packages, permitting the assault to propagate additional.

Evolution from September’s Attack

The preliminary Shai-Hulud breach occurred in early September, marking the largest npm attack on report on the time, with hackers stealing $50 million in cryptocurrency.

Ledger {hardware} pockets noted that this primary assault was adopted by the Shai Hulud worm spreading autonomously every week later.

However, the infiltration methodology for this second wave seems considerably completely different.

The “Shai-Hulud: The Second Coming” first installs Bun through the file setup_bun.js, then makes use of it to execute bun_environment.js, which incorporates the precise malicious code.

It creates randomly named repositories with stolen information relatively than utilizing hardcoded names, and might infect as much as 100 npm packages in comparison with 20 in the earlier assault.

Self-Propagating Malware Exposes Blind Spot in NPM Packages

Charles Guillemet, Chief Technology Officer at crypto {hardware} pockets Ledger, alerted the group that the malware additionally targets API keys, Git credentials, and CI/CD secrets and techniques, then quietly exfiltrates every thing.

“If you utilize affected packages: PLEASE verify this fastidiously: contemplate your credentials and secrets and techniques compromised, audit your infrastructure, and rotate your credentials,” he cautioned.

Ledger CTO warned to “AVOID ON-CHAIN TRANSACTIONS” after a JavaScript provide chain assault compromised NPM packages with over 1B downloads. #JavaScript #crypto https://t.co/JjT23tk8CG

— Cryptonews.com (@cryptonews) September 8, 2025

He urged that anybody with out shut CI monitoring would possibly contemplate shutting down their techniques.

Florian Roth, Head of Research at Nextron Systems, additionally added that it’s changing into more and more straightforward for menace actors to inject malware into delicate techniques resulting from blind spots in NPM packages.

According to his assessment, the trade beforehand fought malware on the OS degree, however now the identical conduct happens one layer up, contained in the software program ecosystems folks belief every single day.

We used to struggle worms on the OS degree. Slammer, Blaster, Conficker.. all that stuff

Now we get the identical behaviour one layer up – contained in the software program ecosystems we belief every single day

NPM tokens, transitive deps, weak account hygiene, zero visibility… and immediately a… pic.twitter.com/6aSNEL4c32

— Florian Roth (@cyb3rops) November 24, 2025

“NPM tokens, transitive deps, weak account hygiene, zero visibility… and immediately a self-propagating worm runs via the availability chain prefer it’s 2003 once more.”

He concluded that the current Shai Hulud breach reveals the true blind spot is in bundle ecosystems performing as execution surfaces.

“Nobody displays them, no one hardens them, and attackers don’t even want an exploit to make them go wild,” he stated.

JP Richardson, CEO of Exodus, the primary public firm in the U.S. to tokenize stocks on the blockchain, additionally questioned Microsoft for making it “straightforward” for menace actors to propagate malware.

In a November 24 post, Richardson stated, “What I don’t perceive [is] why Microsoft (npm proprietor) just isn’t shifting quick sufficient to detect these assaults.”

He believes any bundle that has a pre-install or post-install script added ought to show warnings to everybody on the npm web site and earlier than bundle set up.

The submit Massive NPM Supply-Chain Attack Targets ENS-Linked Libraries in Shai Hulud Breach appeared first on Cryptonews.