NPM supply-chain attack compromises major ENS and crypto libraries
3 min read
A major JavaScript supply-chain attack has compromised hundreds of software packages, including at least 10 used widely across the crypto ecosystem, according to research from cybersecurity firm Aikido Security.
In a Monday post, Charlie Eriksen, a researcher at Aikido Security, shared the names of over 400 packages that showed signs of infection with the “Shai Hulud” self-replicating worm malware used in the ongoing JavaScript NPM library supply chain attack. Eriksen said he validated each detection to avoid false positives.
Many of the cryptocurrency-related packages involved receive tens of thousands of downloads per week and have numerous other packages that require them to function. In an X post published earlier Monday, Eriksen also warned the Ethereum Name Service (ENS) team that several of their packages were affected.
Shai Hulud is part of a broader supply chain attack trend. In Early September, the largest NPM attack reported to date saw hackers steal $50 million of crypto. Amazon Web Services noted that this first attack was followed by the Shai Hulud worm spreading autonomously a week later.
While the previous attack directly targeted crypto to steal assets, Shai Hulud is a general-purpose credential-stealing malware that spreads autonomously across developer infrastructure. If the infected environment contains wallet keys, the malware will steal them as “secrets” like any other credential.
Slava Demchuk, CEO of crypto forensics firm AMLBot, told Cointelegraph that “once a system is infected, the worm harvests secrets, replicates itself, makes private repositories public, and then continues to spread.” Any system where a compromised package is installed can be infected, but so far, “there is no mention of wallet keys or other such assets.”
“However, if there are sensitive secrets present in the environment where the infected packages are installed — and those secrets grant access to other systems — assume they have been exposed,” Demchuk warned.
Related: Failed NPM exploit highlights looming threat to crypto security: Exec
Which crypto packages are affected?
Among all the affected packages, at least 10 were specifically related to the cryptocurrency industry, and most were tied to the ENS, a human-readable address name service. Among the affected packages were ENS’s content-hash, with almost 36,000 weekly downloads, and 91 software packages depending on it, as well as an address-encoder, with over 37,500 weekly downloads.
Other ENS packages affected include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A cryptocurrency-related package unrelated to ENS, called crypto-addr-codec, was also compromised, with almost 35,000 downloads.
Related: $27 million gone, no private keys exposed: How the BigONE hack happened
Popular non-crypto packages affected
Non-crypto-related packages affected include some offered by the corporate automation platform Zapier, including one with over 40,000 downloads per week and many not far behind. In a subsequent post, Eriksen pointed to other packages that were infected, some with nearly 70,000 weekly downloads, and to another package seeing well over 1.5 million weekly downloads.
“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen wrote on X.
“It’ll make the previous attack look like nothing.“
Researchers at cybersecurity firm Wiz claim to have “spotted over 25,000 affected repositories across ~350 unique users, 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours.” The company recommends “immediate investigation and remediation” for any environment using npm.
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack
