A major JavaScript supply-chain breach has hit the open-source ecosystem, with cybersecurity researchers confirming that more than 400 npm libraries were compromised by the self-replicating Shai Hulud malware. The discovery was detailed by Aikido Security researcher Charlie Eriksen, who said each flagged package was manually validated to avoid false positives. The incident is still unfolding, and early indications suggest it may be one of the most extensive npm infections seen to date.
Crypto packages compromised
Among the impacted libraries, at least ten are widely used within the cryptocurrency ecosystem, particularly those connected to the Ethereum Name Service (ENS). Several ENS dependencies central to wallet infrastructure and naming services were affected, prompting Eriksen to alert the ENS team directly on X. Packages such as content-hash, address-encoder, ensjs, ethereum-ens, ens-contracts and others many of which log tens of thousands of weekly downloads were found to contain malicious code. Another widely used crypto library, crypto-addr-codec, was also confirmed compromised.
Impact beyond crypto
The infection extends well past blockchain-related tooling. Multiple libraries associated with mainstream platforms such as Zapier were found compromised, including some with download counts in the tens of thousands. One affected package identified later in the review reportedly receives well over a million weekly downloads. The breadth of the incident underscores the systemic risk posed by compromised open-source dependencies across both fintech and traditional software development environments.
Rapid spread and growing risk
The Shai Hulud malware emerged shortly after a separate npm attack earlier in September one responsible for the theft of roughly $50 million in crypto assets. Unlike that targeted theft, Shai Hulud operates as a credential-stealing worm capable of spreading autonomously through developer environments. If wallet keys or other sensitive credentials are stored locally, the malware exfiltrates them just as it would any other secret. Researchers at Wiz estimated that more than 25,000 repositories have already been affected across hundreds of users, with new infected repositories appearing at a pace of roughly 1,000 every 30 minutes at the height of the outbreak.