Extensive JavaScript NPM Attack Spreads Self-Replicating Malware Across Crypto Ecosystem

A widespread JavaScript supply chain compromise has infiltrated more than 400 software packages across multiple industries, with cybersecurity researchers flagging deep exposure within cryptocurrency-related infrastructure. Aikido Security’s findings reveal a troubling pattern: the threat actor deployed Shai Hulud, a sophisticated self-replicating malware designed to autonomously propagate through developer environments and extract sensitive credentials.

Attack Scope and Technical Mechanism

The malware operates differently from previous NPM supply chain incidents. Rather than targeting digital assets directly, this self-replicating malware functions as a credential harvester, systematically stealing wallet keys, API tokens, and authentication secrets from infected development systems. Each detection underwent validation to eliminate false positives, according to researcher Charlie Eriksen’s disclosure on social media.

The scale remains alarming. Cybersecurity firm Wiz identified approximately 25,000 compromised repositories belonging to roughly 350 distinct users, with fresh infections occurring at a rate of 1,000 new repositories every half-hour. This autonomous propagation distinguishes the current threat from an earlier September incident where attackers manually extracted $50 million in cryptocurrency before moving on.

Cryptocurrency Infrastructure Under Siege

At least ten packages serving the blockchain industry fell victim, predominantly connected to Ethereum Name Service (ENS) infrastructure. The affected ecosystem includes widely-distributed libraries such as:

• content-hash: approximately 36,000 weekly downloads
• address-encoder: surpassing 37,500 weekly downloads
• ensjs, ens-validation, ethereum-ens, ens-contracts: all compromised

Beyond ENS-specific tools, the attack reached crypto-addr-codec, a standalone cryptography utility commanding nearly 35,000 downloads per week. These packages serve as foundational dependencies for hundreds of downstream projects, amplifying the risk exposure across the development community.

Broader Impact Assessment

The compromise extends beyond cryptocurrency applications. Notable victims include enterprise automation platforms like Zapier, with certain affected packages receiving over 40,000 weekly downloads. Some compromised libraries report 1.5 million downloads weekly, suggesting potential exposure affecting thousands of end applications.

Eriksen characterized the incident’s scope as “massive,” with investigation efforts ongoing to establish complete impact parameters. The immediate recommendation from security researchers calls for comprehensive audits of any development environment utilizing npm infrastructure, coupled with urgent credential rotation and supply chain remediation procedures.