A serious JavaScript supply chain attack has compromised a whole bunch of software packages, including not less than ten which can be widely used across the crypto ecosystem, in line with a study by cybersecurity firm Aikido Security.
In a Monday post, Charlie Eriksen, a researcher at Aikido Security, shared the names of over 400 packages that showed signs of infection with the “Shai Hulud” self-replicating worm malware utilized in the continuing attack on the JavaScript NPM library supply chain. Eriksen said he validated each detection to avoid false positives.
Many of the cryptocurrency-related packages involved receive tens of hundreds of downloads per week and have quite a few other packages that require them to operate. In an X post published on Monday, Eriksen also warned the Ethereum Name Service (ENS) team that several of their packages were affected.
Source: Charlie Eriksen
Shai Hulud is an element of a broader supply chain attack trend. In early September, hackers stole $50 million price of cryptocurrencies in the most important NPM attack to this point. Amazon Web Services noted that this initial attack was followed per week later by an autonomous spread of the Shai Hulud worm.
While the previous attack directly targeted cryptocurrencies to steal assets, Shai Hulud is a general-purpose credential-stealing malware that spreads autonomously across developer infrastructure. If the infected environment comprises wallet keys, the malware steals them as “secrets” like every other credentials.
Slava Demchuk, CEO of crypto forensics firm AMLBot, told Cointelegraph: “Once a system is infected, the worm collects secrets, replicates itself, makes private repositories public, after which spreads further.” Any system with a compromised package installed could be infected, but thus far “there is no such thing as a mention of wallet keys or other such assets.”
“However, if there are sensitive secrets within the environment where the infected packages are installed – and people secrets provide access to other systems – assume they’ve been exposed,” Demchuk warned.
Which crypto packages are affected?
Of all of the affected packages, not less than ten were specifically related to the cryptocurrency industry and most were tied to ENS, a human-readable address name service. The affected packages included the ENS content hash with nearly 36,000 weekly downloads and 91 dependent software packages, in addition to an address encoder with over 37,500 weekly downloads.
Other affected ENS packages include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A cryptocurrency-related package unrelated to ENS, called crypto-addr-codec, was also compromised and saw nearly 35,000 downloads.
Popular non-crypto packages are affected
The non-crypto-related packages affected include some offered by enterprise automation platform Zapier, including one with over 40,000 downloads per week and plenty of not far behind. In a subsequent post, Eriksen pointed to additional infected packages, a few of which had nearly 70,000 weekly downloads, and one other package that had well over 1.5 million weekly downloads.
“The scale of this recent Shai Hulud attack is frankly enormous; we’re still working the queue to substantiate every little thing,” Eriksen wrote on X.
“This will make the previous attack appear like nothing.”
Researchers at cybersecurity firm Wiz say they’ve discovered “over 25,000 affected repositories across roughly 350 unique users, and 1,000 recent repositories have been repeatedly added every half-hour over the past few hours.” The company recommends “immediate investigation and remediation” for any environment where npm is used.
