Massive NPM Supply-Chain Attack Targets ENS-Linked Libraries in Shai Hulud Breach
A massive JavaScript-based Node Package Manager (npm) supply-chain attack has infiltrated code libraries connected to the Ethereum Name Service (ENS) and hundreds of older software packages, with over 10 widely used across the crypto ecosystem, according to cybersecurity firm Aikido Security.
Charlie Eriksen, a malware researcher at the security firm, disclosed that the supply-chain malware known as “Shai-Hulud: The Second Coming” has infected hundreds of packages and more than 25,000 GitHub repositories.
According to the findings, threat actors have embedded this malicious code into over 490 npm packages with more than 132 million monthly downloads, including prominent ones from ENS, Zapier, AsyncAPI, Browserbase, and Postman.
“If a developer installs one of these bad packages, the malware quietly runs during installation, before anything even finishes installing,” Eriksen said.
How the Shai-Hulud Supply-Chain Malware Works
As described by Akido security, the Shai-Hulud malware gains access to the developer’s machine or cloud environment during installation.
It then deploys an automated tool called TruffleHog to scan for sensitive data, including passwords, API keys, cloud tokens, and GitHub or NPM credentials.
Any discovered information is then uploaded to a public GitHub repository titled “Shai-Hulud: The Second Coming.”
If the stolen credentials include access to code repositories or package registries, attackers can leverage them to breach additional accounts and distribute more malicious packages, allowing the attack to propagate further.
Evolution from September’s Attack
The initial Shai-Hulud breach occurred in early September, marking the largest npm attack on record at the time, with hackers stealing $50 million in cryptocurrency.
Ledger hardware wallet noted that this first attack was followed by the Shai Hulud worm spreading autonomously a week later.
However, the infiltration method for this second wave appears substantially different.
The “Shai-Hulud: The Second Coming” first installs Bun via the file setup_bun.js, then uses it to execute bun_environment.js, which contains the actual malicious code.
Source: Aikido Blog
It creates randomly named repositories with stolen data rather than using hardcoded names, and can infect up to 100 npm packages compared to 20 in the previous attack.
Self-Propagating Malware Exposes Blind Spot in NPM Packages
Charles Guillemet, Chief Technology Officer at crypto hardware wallet Ledger, alerted the community that the malware also targets API keys, Git credentials, and CI/CD secrets, then quietly exfiltrates everything.
“If you use affected packages: PLEASE check this carefully: consider your credentials and secrets compromised, audit your infrastructure, and rotate your credentials,” he cautioned.
He urged that anyone without close CI monitoring might consider shutting down their systems.
Florian Roth, Head of Research at Nextron Systems, also added that it’s becoming increasingly easy for threat actors to inject malware into sensitive systems due to blind spots in NPM packages.
According to his assessment, the industry previously fought malware at the OS level, but now the same behavior occurs one layer up, inside the software ecosystems people trust every day.
“NPM tokens, transitive deps, weak account hygiene, zero visibility… and suddenly a self-propagating worm runs through the supply chain like it’s 2003 again.”
He concluded that the recent Shai Hulud breach reveals the real blind spot is in package ecosystems acting as execution surfaces.
“Nobody monitors them, nobody hardens them, and attackers don’t even need an exploit to make them go wild,” he said.
JP Richardson, CEO of Exodus, the first public company in the U.S. to tokenize stocks on the blockchain, also questioned Microsoft for making it “easy” for threat actors to propagate malware.
In a November 24 post, Richardson said, “What I don’t understand [is] why Microsoft (npm owner) is not moving fast enough to detect these attacks.”
He believes any package that has a pre-install or post-install script added should display warnings to everyone on the npm site and before package installation.
You May Also Like
US Prosecutors Seek 12-Year Prison for Do Kwon Over Terra Collapse
Highlights: US prosecutors requested a 12-year prison sentence for Do Kwon after the Terra collapse. Terraform’s $40 billion downfall caused huge losses and sparked a long downturn in crypto markets. Do Kwon will face sentencing on December 11 and must give up $19 million in earnings. US prosecutors have asked a judge to give Do Kwon, Terraform Labs co-founder, a 12-year prison sentence for his role in the remarkable $40 billion collapse of the Terra and Luna tokens. The request also seeks to finalize taking away Kwon’s criminal earnings. The court filing came in New York’s Southern District on Thursday. This is about four months after Kwon admitted guilt on two charges: wire fraud and conspiracy to defraud. Prosecutors said Kwon caused more losses than Samuel Bankman-Fried, Alexander Mashinsky, and Karl Sebastian Greenwood combined. U.S. prosecutors have asked a New York federal judge to sentence Terraform Labs co-founder Do Kwon to 12 years in prison, calling his role in the 2022 TerraUSD collapse a “colossal” fraud that triggered broader crypto-market failures, including the downfall of FTX. Sentencing is… — Wu Blockchain (@WuBlockchain) December 5, 2025 Terraform Collapse Shakes Crypto Market Authorities explained that Terraform’s collapse affected the entire crypto market. They said it helped trigger what is now called the ‘Crypto Winter.’ The filing stressed that Kwon’s conduct harmed many investors and the broader crypto world. On Thursday, prosecutors said Kwon must give up just over $19 million. They added that they will not ask for any additional restitution. They said: “The cost and time associated with calculating each investor-victim’s loss, determining whether the victim has already been compensated through the pending bankruptcy, and then paying out a percentage of the victim’s losses, will delay payment and diminish the amount of money ultimately paid to victims.” Authorities will sentence Do Kwon on December 11. They charged him in March 2023 with multiple crimes, including securities fraud, market manipulation, money laundering, and wire fraud. All connections are tied to his role at Terraform. After Terra fell in 2022, authorities lost track of Kwon until they arrested him in Montenegro on unrelated charges and sent him to the U.S. Do Kwon’s Legal Case and Sentencing In April last year, a jury ruled that both Terraform and Kwon committed civil fraud. They found the company and its co-founder misled investors about how the business operated and its finances. Jay Clayton, U.S. Attorney for the Southern District of New York, submitted the sentencing request in November. TERRA STATEMENT: “We are very disappointed with the verdict, which we do not believe is supported by the evidence. We continue to maintain that the SEC does not have the legal authority to bring this case at all, and we are carefully weighing our options and next steps.” — Zack Guzmán (@zGuz) April 5, 2024 The news of Kwon’s sentencing caused Terraform’s token, LUNA, to jump over 40% in one day, from $0.07 to $0.10. Still, this rise remains small compared to its all-time high of more than $19, which the ecosystem reached before collapsing in May 2022. In a November court filing, Do Kwon’s lawyers asked for a maximum five-year sentence. They argued for a shorter term partly because he could face up to 40 years in prison in South Korea, where prosecutors are also pursuing a case against him. The legal team added that even if Kwon serves time in the U.S., he would not be released freely. He would be moved from prison to an immigration detention center and then sent to Seoul to face pretrial detention for his South Korea charges. eToro Platform Best Crypto Exchange Over 90 top cryptos to trade Regulated by top-tier entities User-friendly trading app 30+ million users 9.9 Visit eToro eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Cashing In On University Patents Means Giving Up On Our Innovation Future
