A significant JavaScript supply chain attack has impacted more than 400 software packages, including vital libraries in the crypto realm, as reported by cybersecurity firm Aikido Security.

In a recent posting, Charlie Eriksen, a researcher at Aikido Security, shared the identities of over 400 packages identified as being potentially infected by the Shai Hulud self-replicating worm malware, utilized in the ongoing attack against JavaScript NPM libraries. Eriksen assured that every detection was validated to prevent any false positives.

Many of the affected packages in the cryptocurrency sector receive high download volumes weekly and are crucial for the operation of numerous other packages. In a post on X, Eriksen also cautioned the Ethereum Name Service (ENS) team, indicating that a number of their packages were compromised.

Source: Charlie Eriksen

Shai Hulud is part of a larger trend in supply chain attacks. In early September, the largest NPM attack reported saw hackers steal $50 million in cryptocurrency. Amazon Web Services acknowledged that the initial attack was followed by the Shai Hulud worm disseminating itself autonomously a week later.

While the previous attack specifically targeted crypto for asset theft, Shai Hulud serves as a general-purpose credential-stealing malware that autonomously spreads through developer environments. If the environment includes wallet keys, this malware is capable of stealing them as ‘secrets’ akin to other credentials.

Slava Demchuk, CEO of AMLBot, informed Cointelegraph that:

“Once a system is infected, the worm harvests secrets, replicates itself, makes private repositories public, and then continues to spread.”
Translation: Once the system is infected, the worm collects sensitive information, duplicates itself, publicizes private repositories, and keeps spreading.

He further explained that any system where a compromised package is installed might fall victim to infection, but there have been no claims regarding the theft of wallet keys or similar assets to date.

However, he warned:

“If any sensitive secrets exist in the environment where infected packages are deployed—especially if they grant access to other systems—assume they have been compromised.”
Translation: If sensitive information is found in the environment where the infected packages are used, and allows access to other systems, it is assumed that it has been exposed.

Which crypto packages are impacted?

Among all compromised packages, at least 10 were specifically linked to the cryptocurrency sector, most of which were associated with the ENS, which provides human-readable address names. Affected packages included ENS’s content-hash, boasting nearly 36,000 weekly downloads, and 91 other software packages depending on it, as well as an address-encoder with over 37,500 weekly downloads.

Other ENS-related impacted packages consist of ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). Additionally, a cryptocurrency package, unrelated to ENS, named crypto-addr-codec was also breached, with close to 35,000 downloads.

Popular non-crypto packages impacted

Various non-crypto packages have also been affected, including some provided by the corporate automation platform Zapier, comprised of one that has surpassed 40,000 downloads weekly, alongside several others trailing closely behind. In a follow-up post, Eriksen indicated additional packages that were compromised, some seeing downloads nearly reaching 70,000 weekly, along with another package exceeding 1.5 million weekly downloads.

Eriksen remarked on X:

“The scale of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all.”
Translation: The extent of this new Shai Hulud attack is enormous; we are in the process of verifying everything.

Researchers at cybersecurity firm Wiz assert to have discovered over 25,000 affected repositories across approximately 350 unique users, with 1,000 new repositories being added continually every 30 minutes in recent hours. The firm recommends taking immediate investigative and remedial actions for any environments utilizing npm.