A major JavaScript supply chain attack compromised hundreds of software packages — including at least 10 widely used across the cryptocurrency ecosystem — according to new research by cybersecurity firm Aikido Security.
In a post on Monday, Charlie Eriksen, a researcher at Aikido Security, subscriber Names of more than 400 packages showing signs of infection with the self-replicating “Shai Hulud” malware used in an ongoing JavaScript NPM library supply chain attack. Eriksen said he validated each discovery to avoid false positives.
Many cryptocurrency-related packages receive tens of thousands of downloads weekly and have many more that require them to work. In X’s post published Earlier today, Eriksen also warned the Ethereum Name Service (ENS) team that several of their packages had been affected.
Kholoud Tea is part of a broader trend of supply chain attacks. In early September, the largest NPM attack reported to date saw hackers steal just $50 million in cryptocurrency. Amazon Web Services male This first attack was followed by the independent spread of the Shai Khulud worm just one week later.
While the previous attack directly targeted cryptocurrencies to steal assets, Shai-Hulud is a general-purpose credential-stealing malware that spreads autonomously across developers’ infrastructure. If the infected environment contains wallet keys, the malware will steal them as “secrets” like any other credentials.
Related to: The failed NPM exploit highlights a looming threat to crypto security: Exec
Which encryption packages are affected?
Of all the affected packages, at least 10 were specifically related to the cryptocurrency industry, and almost all were related to ENS, a human-readable address name service. Among the packages affected are ENS’s content hashing package, with approximately 36,000 weekly downloads, 91 software packages relying on it, as well as the address encoder, with more 37,500 weekly downloads.
Other affected ENS packages include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A cryptocurrency-related package unrelated to ENS, called crypto-addr-codec, was also hacked, with nearly 35,000 downloads.
Related to: $27 Million Gone, No Private Keys Revealed: How the BigONE Hack Happened
Common, unencrypted packets are affected
The non-cryptocurrency packages affected include some of the software offered by business automation platform Zapier, including one With over 40,000 downloads per week and many are not far behind. In a later blog post, Eriksen said He pointed out to other infected packages, some of which had nearly 70,000 downloads per week, and to others eviction Seeing over 1.5 million weekly downloads.
“The scope of Shai Immortality’s new attack is frankly massive, and we’re still working in the queue to confirm everything,” Eriksen said. books On X.
“It will make the previous attack seem like nothing.”
Researchers at cybersecurity company Wiz claim In order to “monitor over 25,000 affected repositories across approximately 350 unique users, 1,000 new repositories are constantly being added every 30 minutes in the last 2 hours.” The company recommends “immediate investigation and remediation” of any environment using npm.
magazine: ‘Help!’ My Bot Steals My Bitcoin: When Smartphones Attack
The post New NPM Supply-Chain Attack Compromises ENS and Crypto Code first appeared on Investorempires.com.
