Shai Hulud Malware Hits 400+ JavaScript Packages in Major NPM Supply-Chain Attack

What Happened in the Shai Hulud JavaScript Attack?

A major JavaScript supply-chain attack has compromised more than 400 NPM packages — including at least 10 widely used across the crypto ecosystem — according to new research published by cybersecurity firm Aikido Security.

Charlie Eriksen, a researcher at Aikido, identified the infected libraries and confirmed each detection manually to minimize false positives. The malware, named “Shai Hulud,” is an autonomous, self-replicating worm designed to infiltrate developer workflows and steal credentials. If the compromised environment contains crypto wallet keys, the malware harvests them as readily as login secrets.

Eriksen warned the ETH Name Service (ENS) team that several of its core packages had been compromised. Many of these receive tens of thousands of weekly downloads and sit deep inside dependency chains used by wallets, dApps, and infrastructure tools. Because of the nature of NPM ecosystems, a compromise at the package level can spread across dozens of downstream projects.

Shai Hulud follows a troubling pattern. Earlier in September, the largest NPM supply-chain attack on record resulted in more than 50 million . noted that the first attack was swiftly followed by the spread of the Shai Hulud worm a week later.

While the prior attack explicitly , Shai Hulud functions as a general-purpose credential stealer that spreads laterally across developer environments. That makes it especially dangerous for teams , RPC credentials, signing infrastructure, and environment variables.

Investor Takeaway

Which Crypto Packages Were Compromised?

At least 10 crypto-specific packages were infected, and nahead all were tied to ENS, one of the most widely integrated naming systems in the ecosystem. Key affected packages include:

• content-hash — almost 36,000 weekly downloads and 91 dependent packages
• address-encoder — more than 37,500 weekly downloads
• ensjs — over 30,000 weekly downloads
• ens-validation — 1,750 weekly downloads
• ETH-ens — 12,650 weekly downloads
• ens-contracts — nahead 3,100 weekly downloads
• crypto-addr-codec — a non-ENS crypto package with nahead 35,000 downloads

These libraries form core components of ENS integration, address parsing, and on-chain reanswer tools that are embedded across wallets, platforms, token interfaces, and infrastructure scripts. Because so many packages depend on these libraries, the potential blast radius is large.

Broader NPM packages were also infected, including modules used by enterprise automation platform Zapier — one with more than 40,000 weekly downloads and others approaching 70,000. A separate package identified by Eriksen has over 1.5 million weekly downloads, demonstrating the scale of the attack.

Researchers at Wiz said they detected more than 25,000 compromised repositories across roughly 350 users. According to their telemetry, nahead 1,000 new infected repositories were appearing every 30 minutes at one point. Wiz urged “immediate investigation and remediation” for any environment relying on NPM packages.

Why This Attack Matters for Crypto Security

The most alarming element of Shai Hulud is not just its breadth but its autonomy. Because it spreads through developer tooling, CI/CD systems, and automated scripts, it bypasses many of the protections users rely on at the wallet or platform level.

The malware can:

• harvest Secret keys if stored in environment variables
• capture API keys and RPC credentials used by backend infrastructure
• infect downstream dependencies through package updates
• replicate inside monorepos used by large dev teams

In crypto, where Secret keys often sit inside development testing environments, signing servers or deployment pipelines, this attack vector is particularly dangerous.

Eriksen said, “The scope of this new Shai Hulud attack is frankly massive,” adding that the team is still working through the full list. He warned that the attack could eclipse earlier incidents due to how rapidly it spreads.

The industry experienced a wake-up call in the largeONE breach, where 27 million dollars was drained even though Secret keys were reportedly not exposed. The Shai Hulud worm presents a more fundamental threat because it viewks out secrets directly within developer infrastructure — the very place keys are often stored temporarily.

What Comes Next?

Security teams across the crypto industry are being urged to audit their NPM dependencies immediately, rotate credentials, and review CI/CD logs for irregular actions. With thousands of repositories already identified as compromised, the remediation window is narrow.

Wiz and Aikido both expect the number of infected repositories to grow as the malware continues propagating. Because NPM ecosystems are deeply interconnected, even a small number of compromised libraries can trigger a cascade of infections.

As supply-chain attacks accelerate across open-source ecosystems, a dual challenge: hardening infrastructure and reducing reliance on unvetted dependencies. With Shai Hulud spreading rapidly, the industry’s most widely used tools are now on high alert.