Promotion of Best CFD Trading Platform

JavaScript Supply Chain Attack: A Crypto Threat Emerges

New research from cybersecurity firm Aikido Security has revealed a major JavaScript supply chain attack, compromising hundreds of software packages – including at least 10 that are extensively used within the cryptocurrency ecosystem.

In a Monday announcement, Charlie Eriksen, a researcher at Aikido Security, disclosed the names of over 400 packages exhibiting signs of infection by the “Shai Hulud” self-replicating malware, which is being leveraged in an ongoing JavaScript NPM library supply chain attack. Eriksen stated that each detection was validated to minimize false positives.

Several of the impacted cryptocurrency-related packages receive tens of thousands of weekly downloads and are critical dependencies for numerous other packages. Eriksen also alerted the Ethereum Name Service (ENS) team via an X post, indicating that multiple ENS packages were affected.

Shai Hulud is indicative of a broader supply chain attack trend. Earlier in September, the largest reported NPM attack resulted in the theft of $50 million in cryptocurrency. Amazon Web Services noted that the initial attack was quickly followed by the autonomous spread of the Shai-Hulud worm within a week.

While the previous attack directly targeted crypto assets for theft, Shai-Hulud operates as a general-purpose credential-stealing malware, spreading autonomously across developer infrastructure. If the compromised environment contains wallet keys, the malware will exfiltrate them as “secrets,” similar to any other sensitive credential.

Affected Crypto Packages

Among the affected packages, at least 10 are specifically linked to the cryptocurrency industry, with a heavy concentration around ENS, a human-readable address name service. Notable impacted packages include ENS’s content-hash, boasting nearly 36,000 weekly downloads and 91 dependent software packages, and address-encoder, with over 37,500 weekly downloads.

Other affected ENS packages include ensjs (over 30,000 weekly downloads), ens-validation (1,750 weekly downloads), ethereum-ens (12,650 weekly downloads), and ens-contracts (nearly 3,100 weekly downloads). A non-ENS-related crypto package, crypto-addr-codec, was also compromised, seeing almost 35,000 downloads.

Popular Non-Crypto Packages Impacted

Affected packages extend beyond the cryptocurrency realm, impacting offerings from corporate automation platform Zapier, including one with over 40,000 weekly downloads and several others not far behind. Eriksen further identified other infected packages, some nearing 70,000 weekly downloads, and another exceeding 1.5 million weekly downloads.

“The scope of this new Shai Hulud attack is frankly massive; we’re still working through the queue to confirm it all,” Eriksen wrote on X.

“It’ll make the previous attack look like nothing.”

Researchers at cybersecurity firm Wiz claim to have “spotted over 25,000 affected repositories across ~350 unique users, 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours.” The company recommends “immediate investigation and remediation” for any environment using npm.


Risk Warning: This article is provided for informational purposes only and does not constitute investment advice, investment research, or a recommendation to trade. The views expressed are those of the author and do not necessarily reflect the position of Markets.com. When considering shares, indices, forex (foreign exchange), and commodities for trading and price predictions, remember that trading CFDs involves a significant degree of risk and may not be suitable for all investors. Leveraged products can result in capital loss. Past performance is not indicative of future results. Before trading, ensure you fully understand the risks involved and consider your investment objectives and level of experience. Cryptocurrency CFD trading restrictions may apply depending on jurisdiction.

Latest news

sliver

Thursday, 2 July 2026

Indices

Silver Price Forecast: XAG/USD Rebounds Above $62 as Fed Bets Ease

oil

Thursday, 2 July 2026

Indices

WTI Oil Price Holds Near $69 as Weaker Dollar Supports Crude

gold

Thursday, 2 July 2026

Indices

Gold Price July 3: Spot Surges Past $4,120 on Weak Jobs Data

gold

Wednesday, 1 July 2026

Indices

Spot Gold Rebounds Above $4,000 as US Manufacturing Slows and Fed Shifts Messaging

oil

Wednesday, 1 July 2026

Indices

Crude Oil Prices Extend Post-War Slump as Supply Risks Fade and Hormuz Traffic Rebounds

U.S.-Non-Farm Payrolls

Wednesday, 1 July 2026

Indices

US Jobs Report Preview: Will June Payrolls Revive Fed Hike Bets?

Wednesday, 1 July 2026

Indices

Markets are carefully monitoring June US labor numbers today

bitcoin-price

Tuesday, 30 June 2026

Indices

Bitcoin Price Outlook: Could BTC Fall Toward $53,000 After Losing $60,000 Support?

oil

Tuesday, 30 June 2026

Indices

Brent Holds Above $73 as Iran Talks Uncertainty Offsets Hormuz Recovery

gold

Tuesday, 30 June 2026

Indices

Gold Price Today, July 1: Spot Gold Faces Worst Quarterly Loss in 13 Years