1 hour ago
A large JavaScript supply-chain onslaught has compromised hundreds of bundle packages — including astatine slightest 10 utilized wide crossed the crypto ecosystem — according to caller probe from cybersecurity steadfast Aikido Security.
In a Monday post, Charlie Eriksen, a researcher astatine Aikido Security, shared the names of implicit 400 packages that amusement signs of corruption with the “Shai Hulud” self-replicating malware utilized successful an ongoing JavaScript NPM room supply concatenation attack. Eriksen said helium validated each detection to debar mendacious positives.
Many of the cryptocurrency-related packages progressive person tens of thousands of downloads per week and person galore different packages that necessitate them to function. In an X station published earlier today, Eriksen besides warned the Ethereum Name Service (ENS) squad that respective of their packages are affected.
Source: Charlie EriksenShai Hulud is portion of a broader proviso concatenation onslaught trend. In Early September, the largest NPM onslaught reported to date saw hackers lone bargain $50 cardinal of crypto. Amazon Web Services noted that this archetypal onslaught was followed by the Shai-Hulud worm spreading autonomously conscionable a week later.
While the erstwhile onslaught straight targeted crypto to bargain assets, Shai-Hulud is simply a general-purpose credential-stealing malware that spreads autonomously crossed developer infrastructure. If the infected situation contains wallet keys, the malware volition bargain them arsenic “secrets” similar immoderate different credential.
Related: Failed NPM exploit highlights looming menace to crypto security: Exec
Which crypto packages are affected?
Among each the affected packages, astatine slightest 10 were specifically related to the cryptocurrency industry, and astir each were tied to the ENS, a human-readable code sanction service. Among the affected packages are ENS’s content-hash, with astir 36,000 play downloads, and 91 bundle packages depending connected it, arsenic good arsenic address-encoder, with over 37,500 play downloads.
Other ENS packages affected see ensjs (over 30,000 play downloads), ens-validation (1,750 play downloads), ethereum-ens (12,650 play downloads), and ens-contracts (nearly 3,100 play downloads). A cryptocurrency-related bundle unrelated to ENS, called crypto-addr-codec, was besides compromised, with astir 35,000 downloads.
Related: $27 cardinal gone, nary backstage keys exposed: How the BigONE hack happened
Popular non-crypto packages affected
Non-crypto-related packages affected see immoderate offered by the firm automation level Zapier, including one with implicit 40,000 downloads per week and galore not acold behind. In a consequent post, Eriksen pointed to different packages that were infected, immoderate with astir 70,000 play downloads, and to different package seeing good implicit 1.5 cardinal play downloads.
“The scope of this caller Shai Hulud onslaught is frankly massive; we’re inactive moving done the queue to corroborate it all,” Eriksen wrote connected X.
“It’ll marque the erstwhile onslaught look similar nothing.“Researchers astatine cybersecurity steadfast Wiz claim to person “spotted implicit 25,000 affected repositories crossed ~350 unsocial users, 1,000 caller repositories are being added consistently each 30 minutes successful the past mates of hours.” The institution recommends “immediate probe and remediation” for immoderate situation utilizing npm.
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When astute devices attack
English (US) 