NPM Supply-Chain Attack Compromises 400+ Packages, ENS Libraries Targeted
A security researcher reported that the Shai Hulud malware has compromised over 400 NPM libraries, with at least 10 cryptocurrency-related packages affected — most linked to the Ethereum Name Service (ENS) ecosystem. The injected code appears in dependencies used across projects, raising the likelihood that wallets, dapps, or tooling could ingest malicious updates indirectly via trusted packages.
This incident underscores persistent supply-chain vulnerabilities in open-source tooling. For ENS users and developers the risk includes compromised key material or automated actions if any build or runtime environment pulled infected packages. Maintainers should audit recent dependency changes, revoke or rotate exposed credentials where appropriate, and publish patched releases. Users should update to clean package versions and verify integrity before deploying. The breach is a reminder that dependency hygiene and provenance checks are now critical components of crypto infrastructure security.