A major supply-chain attack targeting the JavaScript NPM repository has compromised hundreds of software packages, including several widely used in the crypto industry. According to research from cybersecurity firm Aikido Security, the breach involves a self-replicating worm malware dubbed “Shai Hulud.”

In a recent analysis, Aikido Security researcher Charlie Eriksen identified over 400 libraries showing signs of infection. The compromised software includes at least 10 packages directly tied to the Ethereum Name Service (ENS). Another affected crypto-related package, crypto-addr-codec, has nearly 35,000 weekly downloads, highlighting the potential for widespread impact.

Widespread Impact Beyond Crypto

The attack’s reach extends far beyond the blockchain ecosystem. Infected packages include popular tools from the corporate automation platform Zapier, with one library seeing over 40,000 downloads per week. Eriksen pointed to other compromised packages with nearly 70,000 weekly downloads and one, posthog-node, that exceeds 1.5 million downloads each week.

“The scope of this new Shai Hulud attack is frankly massive,” Eriksen wrote, suggesting it will “make the previous attack look like nothing.”

Researchers at the cybersecurity firm Wiz reinforced the severity of the situation, claiming to have found over 25,000 affected repositories. The firm noted that new infected repositories were being added at a rate of 1,000 every 30 minutes. In response to the findings, Wiz recommends “immediate investigation and remediation” for any development environment that utilizes NPM packages.