Shai Hulud malware hits NPM as crypto libraries face a growing security crisis

• The infection includes at least 10 major crypto packages linked to the ENS ecosystem.
• A previous NPM attack in early September resulted in 50 million dollars in stolen crypto.
• Researchers found more than 25,000 affected repositories during the investigation.

A new round of NPM infections has triggered concern across the JavaScript community as the Shai Hulud malware continues to move through hundreds of software libraries.

Aikido Security has confirmed that more than 400 NPM packages have been compromised, including at least 10 widely used across the crypto ecosystem.

The scale of the issue places developers under immediate pressure to assess the risk, especially those working with blockchain tools and applications.

The disclosure came on Monday when Aikido Security released a detailed list of contaminated libraries following a review of unusual behaviour on NPM.

A separate post from researcher Charles Eriksen also highlighted the infection list on X, drawing attention to key ENS packages involved in the incident.

The infections appear to be tied to an active supply chain attack that has been unfolding in recent weeks, adding momentum to a pattern of escalating security incidents within JavaScript infrastructure.

Threat expands beyond earlier NPM attacks

The surge in infections follows a major NPM breach in early September. That earlier case ended with attackers stealing 50 million dollars worth of crypto, making it one of the largest supply chain incidents linked directly to digital asset theft.

According to Amazon Web Services , the attack was followed within a week by the appearance of Shai Hulud, which began spreading autonomously across projects.

While the initial September incident targeted crypto assets directly, Shai Hulud operates differently. It focuses on collecting credentials from any environment that downloads an infected package. If wallet keys happen to be present, they are treated like any other secret and extracted.

This shift in behaviour makes the new incident broader in scope.

Instead of aiming at a single objective, the malware integrates itself into developer workflows and moves through dependency chains, increasing the chance of accidental exposure across both crypto and non-crypto projects.

ENS packages heavily affected

The crypto packages affected in the latest review show a clear concentration around the Ethereum Name Service ecosystem. Several ENS-related libraries, many with tens of thousands of weekly downloads, appear on the compromised list.

These include content-hash, address-encoder, ensjs, ens-validation, ethereum-ens, and ens-contracts.

To support the findings, Eriksen shared a detailed X post outlining the compromised ENS packages. Shortly after, a second X update from Eriksen expanded on the wider spread of infections affecting additional repositories.

Each ENS package supports functions used across wallet interfaces, blockchain applications, and tools that convert human-readable names into machine-readable formats.

Their popularity means that the impact may stretch beyond direct maintainers to downstream developers who rely on them for core operations.

A separate crypto library, crypto-addr-codec, was also identified among the compromised packages. Though unrelated to ENS, it is used in wallet-related processes and carries high weekly traffic, making its contamination another priority area for security reviews.

Growing impact across non-crypto software

The spread is not limited to digital asset tools. Several non-crypto libraries have also been impacted, including packages associated with the workflow automation platform Zapier .

Some of these report weekly downloads well above forty thousand, indicating the malware has reached parts of the JavaScript ecosystem unrelated to blockchain activity.

Additional libraries highlighted in later posts show even higher levels of distribution. One package appeared close to seventy thousand weekly downloads.

Another recorded weekly traffic above one and a half million, reflecting a much wider footprint than early reports suggested.

The rapid expansion has drawn attention from other security teams. Researchers at Wiz stated that they had identified more than twenty-five thousand affected repositories linked to around three hundred and fifty users.

They also noted that one thousand new repositories were being added every thirty minutes in the early stages of the investigation.

This level of growth demonstrates how quickly supply chain contamination can accelerate when packages replicate across dependency networks.

Developers working with NPM have been advised to perform immediate checks, validating environments and scanning for possible exposure.

With dependency chains being interlinked across multiple industries, even teams outside the crypto sector could unknowingly integrate infected packages.