A researcher warned that more than 400 NPM libraries, including at least 10 crypto packages mostly tied to ENS, were compromised by Shai Hulud malware.
News
A major JavaScript supply-chain attack has compromised hundreds of software packages, including at least 10 used widely across the crypto ecosystem, according to research from cybersecurity firm Aikido Security.
In a Monday post, Charlie Eriksen, a researcher at Aikido Security, the names of over 400 packages that showed signs of infection with the “Shai Hulud” self-replicating worm malware used in the ongoing JavaScript NPM library . Eriksen said he validated each detection to avoid false positives.
Many of the cryptocurrency-related packages involved receive tens of thousands of downloads per week and have numerous other packages that require them to function. In an X post earlier Monday, Eriksen also warned the Ethereum Name Service (ENS) team that several of their packages were affected.
Shai Hulud is part of a broader supply chain attack trend. In Early September, the saw hackers steal $50 million of crypto. Amazon Web Services that this first attack was followed by the Shai Hulud worm spreading autonomously a week later.
While the previous attack directly targeted crypto to steal assets, Shai Hulud is a general-purpose credential-stealing malware that spreads autonomously across developer infrastructure. If the infected environment contains wallet keys, the malware will steal them as “secrets” like any other credential.
Slava Demchuk, CEO of crypto forensics firm AMLBot, told Cointelegraph that “once a system is infected, the worm harvests secrets, replicates itself, makes private repositories public, and then continues to spread.” Any system where a compromised package is installed can be infected, but so far, “there is no mention of wallet keys or other such assets.”
“However, if there are sensitive secrets present in the environment where the infected packages are installed — and those secrets grant access to other systems — assume they have been exposed,” Demchuk warned.
Related:
Which crypto packages are affected?
Among all the affected packages, at least 10 were specifically related to the cryptocurrency industry, and most were tied to the ENS, a human-readable address name service. Among the affected packages were ENS’s content-hash, with almost 36,000 weekly downloads, and 91 software packages depending on it, as well as an address-encoder, with 37,500 weekly downloads.
Other ENS packages affected include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A cryptocurrency-related package unrelated to ENS, called crypto-addr-codec, was also compromised, with almost 35,000 downloads.
Related:
Popular non-crypto packages affected
Non-crypto-related packages affected include some offered by the corporate automation platform Zapier, including with over 40,000 downloads per week and many not far behind. In a subsequent post, Eriksen to other packages that were infected, some with nearly 70,000 weekly downloads, and to another seeing well over 1.5 million weekly downloads.
“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen on X.
“It’ll make the previous attack look like nothing.“
Researchers at cybersecurity firm Wiz to have “spotted over 25,000 affected repositories across ~350 unique users, 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours.” The company recommends “immediate investigation and remediation” for any environment using npm.
Magazine:
