A large-scale JavaScript supply chain attack has compromised hundreds of software packages, including at least 10 widely used across the cryptocurrency ecosystem, according to new research from cybersecurity firm Aikido Security.
In a post on Monday, Charlie Eriksen, a researcher at Aikido Security, published the names of more than 400 packages that show signs of being infected by Shai Hulud, a self-replicating malware used in an ongoing JavaScript NPM library supply chain attack. Eriksen said he verified each detection to avoid false positives.
Many of the associated cryptocurrency-related packages receive tens of thousands of downloads per week, and there are also many other packages required for them to function. In an X post published earlier today, Eriksen also warned the Ethereum Name Service (ENS) team that several packages would be affected.
Source: Charlie Eriksen
Shai Hulud is part of a broader supply chain attack trend. In early September, hackers stole only $50 million in cryptocurrency in the largest NPM attack ever reported. Following this initial attack, Amazon Web Services noted that the Shai-Hulud worm was spreading autonomously just one week later.
While previous attacks directly targeted cryptocurrencies to steal assets, Shai-Hulud is a general-purpose credential-stealing malware that autonomously spreads across a developer’s infrastructure. If the infected environment contains wallet keys, the malware steals them as “secrets” like any other credentials.
Related: NPM exploit failure highlights imminent threat to crypto security: Exec
Which encryption packages are affected?
Of all the packages affected, at least 10 were specifically related to the cryptocurrency industry, and nearly all were associated with ENS, a human-readable address name service. Among the affected packages are ENS Content Hash and 91 software packages that depend on it, which are downloaded approximately 36,000 times each week, and Address Encoder, which is downloaded more than 37,500 times each week.
Other affected ENS packages include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A cryptocurrency-related package unrelated to ENS called crypto-addr-codec was also compromised, resulting in approximately 35,000 downloads.
Related: $27 million leaked, private keys not exposed: How the BigONE hack happened
Popular non-encrypted packages affected
Affected non-encryption-related packages include those from enterprise automation platform Zapier, which has more than 40,000 downloads per week, and many don’t even come close. In subsequent posts, Eriksen pointed to other packages that were infected, including one that saw nearly 70,000 downloads each week, and another that saw well over 1.5 million downloads each week.
“The scope of this new Shai Huld attack is frankly massive. We are still waiting our turn to confirm everything,” Eriksen wrote to X.
“All the attacks we’ve had so far will come to nothing.”
Researchers from cybersecurity firm Wiz claim they have “discovered more than 25,000 affected repositories across approximately 350 unique users, with 1,000 new repositories being continuously added every 30 minutes over the past few hours.” The company recommends “immediate investigation and remediation” for environments using npm.
magazine: ‘Help! My robot vacuum is stealing my Bitcoin: when a smart device attacks
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
