Shai Hulud malware hits NPM as crypto libraries face growing security crisis

• The infection includes at least ten major crypto packages connected to the ENS ecosystem.
• A previous NPM attack in early September resulted in $50 million worth of stolen cryptocurrency.
• Researchers found more than 25,000 affected archives during the investigation.

A new round of NPM infections has sparked concern in the JavaScript community as the Shai Hulud malware continues to move through hundreds of software libraries.

Aikido Security has confirmed that more than 400 NPM packages have been compromised, including at least 10 that are widely used across the crypto ecosystem.

The scale of the problem immediately puts pressure on developers to assess the risk, especially those working with blockchain tools and applications.

The revelation came on Monday, when Aikido Security published a detailed list of contaminated libraries after checking for unusual behavior on NPM.

A separate one Contribution by researcher Charles Eriksen also highlighted the infection list on X and drew attention to key ENS packages involved in the incident.

The infections appear to be related to an active supply chain attack that has taken place in recent weeks, adding momentum to a pattern of increasing security incidents in JavaScript infrastructure.

The threat expands beyond previous NPM attacks

The rise in infections follows a major NPM breach in early September. This previous case ended with attackers stealing $50 million worth of crypto, making it one of the largest supply chain incidents directly linked to digital asset theft.

According to Amazon Web Services The attack was followed within a week by the emergence of Shai Hulud, which spread autonomously across projects.

While the first incident in September was directly aimed at crypto assets, Shai Hulud is acting differently. It focuses on collecting credentials from any environment that downloads an infected package. If wallet keys are present, they are treated and extracted like any other secret.

This change in behavior makes the new incident more comprehensive.

Instead of pursuing a single target, the malware integrates itself into developer workflows and traverses dependency chains, increasing the likelihood of accidental exposure on both crypto and non-crypto projects.

ENS packages severely affected

The crypto packages affected in the latest review show a clear focus on the Ethereum Name Service ecosystem. Several ENS-related libraries, many with tens of thousands of weekly downloads, appear on the compromised list.

These include content-hash, address encoder, ensjs, ens-validation, ethereum-ens and ens-contracts.

To support the results, Eriksen published a detailed X post in which he laid out the compromised ENS packages. Shortly thereafter expanded a second X update by Eriksen the broader spread of infections and affects additional repositories.

Each ENS package supports features used across wallet interfaces, blockchain applications, and tools that convert human-readable names into machine-readable formats.

Their popularity means their influence extends beyond direct maintainers to downstream developers who rely on them for their core operations.

A separate crypto library, crypto-addr-codec, was also identified among the compromised packages. Although not related to ENS, it is used in wallet-related processes and has high weekly traffic, making its contamination another priority area for security audits.

Growing influence on non-crypto software

The spread is not limited to digital wealth tools. Several non-crypto libraries are also affected, including packages that work with the workflow automation platform Zapier are connected.

Some of these report weekly downloads well over forty thousand, suggesting that the malware has reached parts of the JavaScript ecosystem unrelated to blockchain activity.

Additional libraries highlighted in later posts show even higher levels of distribution. One package had nearly seventy thousand weekly downloads.

Another reported weekly traffic over a million and a half, reflecting significantly greater coverage than early reports suggested.

The rapid expansion has caught the attention of other security teams. Wiz researchers stated that they had identified more than twenty-five thousand affected repositories associated with approximately three hundred and fifty users.

They also pointed out that in the early stages of the investigation, a thousand new repositories were added every thirty minutes.

This level of growth shows how quickly supply chain contamination can accelerate as packages replicate across dependency networks.

Developers working with NPM have been advised to conduct immediate checks, validate environments and check for possible exposure.

Because dependency chains are interconnected across multiple industries, even teams outside the crypto sector could unknowingly integrate infected packages.