Shai Hulud NPM worm hits ENS and crypto libraries

A self-replicating attack on the npm JavaScript registry has infected hundreds of packages, including libraries used across crypto projects. Aikido Security identified the malware, called “Shai Hulud,” and reported that Ethereum Name Service (ENS) components are among those affected. The code is designed to steal credentials and spread through developer systems where infected packages are installed, with at least 2,000 packages used in crypto projects appearing in the impact set.

In a post on Monday, Aikido Security researcher Charlie Eriksen listed more than 270 packages showing signs of infection and noted that each detection was manually checked to reduce false positives. Eriksen also alerted the ENS team about impact to multiple ENS-related libraries.

Packages tied to ENS that appeared in the list include content-hash, address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts. A non-ENS crypto library, crypto-addr-codec, also appeared. Many of these packages record tens of thousands of weekly downloads and serve as dependencies for other software, increasing the chance of downstream exposure.

The compromise extends beyond crypto. Eriksen pointed to non-crypto packages linked to the automation platform Zapier, including one with more than 40,000 weekly downloads, others approaching 70,000, and a separate npm package with well over 1.5 million weekly downloads.

Cybersecurity company Wiz reported more than 25,000 affected repositories across roughly 350 users, with about 1,000 new repositories being added every 30 minutes during its observation window. The firm urged immediate investigation and remediation in environments that use npm.

Shai Hulud operates as a credential stealer that replicates across connected machines. If wallet keys are present in an infected development environment, the malware can collect them as it would other stored secrets.

The activity comes shortly after a separate large-scale npm incident in early September that targeted crypto assets. Amazon Web Services observed that the Shai Hulud worm began spreading automatically about a week later.

“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen wrote, adding that the impact could exceed the earlier incident.

Researchers recommend reviewing dependency trees, auditing build systems, rotating credentials, and checking for unexpected changes in repositories. Aikido Security continues to validate additional suspected packages as the inquiry proceeds.

As we reported earlier, researchers found at least nine NuGet .NET packages uploaded in 2023 that hid delayed logic bombs set for August 2027 and November 2028, downloaded about 9,500 times before detection. 

The code used IL weaving and post-restore execution seen in 2024 incidents, with long delays, then tampered with database operations after the trigger dates, sometimes terminating apps with a 20% chance, and causing PLC write failures after 30–90 minutes. Because NuGet dependencies propagate through CI/CD, long-lived services and build agents could carry the payload, including .NET crypto and DeFi backends where exposed secrets would be at risk.