Self-Replicating Worm Exposes Open-Source Crypto Security Flaws

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Monday, Nov 24, 2025 9:53 am ET1min read
ENS--
ETH--
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- Aikido Security discovered a self-replicating worm called Shai Hulud infecting 400+ npm packages, including critical crypto tools like ENS-related libraries.

- The malware autonomously steals credentials from 25,000+ repositories, with one infected package having 1.5 million weekly downloads.

- Security experts urge immediate mitigation: clear npm caches, rotate credentials, and revoke classic tokens by December 9.

- The attack exposes systemic vulnerabilities in open-source ecosystems, threatening both crypto infrastructure and broader software development.

A major JavaScript supply-chain attack has infected hundreds of software packages, including at least 10 widely used in the cryptocurrency ecosystem, according to research by cybersecurity firm Aikido Security. The attack, dubbed "Shai Hulud," involves a self-replicating worm that compromises npm packages and steals credentials, including potentially sensitive crypto wallet keys. Charlie Eriksen, a researcher at Aikido Security, identified over 400 packages showing signs of infection, with many tied to the Ethereum Name ServiceENS-- (ENS), a critical component for human-readable crypto addresses.

The malware spreads autonomously across developer infrastructure, harvesting secrets and publishing them to victims' GitHub repositories. Wiz researchers reported that more than 25,000 repositories had been compromised within three days of the latest attack, with new infections added at a rate of 1,000 per 30 minutes. The attack builds on a September 2025 incident where $50 million in cryptocurrency was stolen, but Shai Hulud is broader in scope, targeting general credentials rather than directly stealing assets.

Among the affected packages are ENS-related tools such as `ensjs` (30,000+ weekly downloads), `ethereum-ens` (12,650+ downloads), and `ens-contracts` (3,100+ downloads), as well as non-crypto packages from platforms like Zapier. The scale of the breach is alarming: one infected package alone had over 1.5 million weekly downloads. Aikido Security warned that the attack could expose private repositories and spread further unless developers take immediate action.

Security experts emphasize the urgency of mitigation. Wiz recommended clearing npm caches, rolling back to pre-November 21 builds, and rotating credentials. GitHub is actively deleting compromised repositories, but the rapid spread of the worm complicates cleanup efforts. The npm registry itself has announced the revocation of all classic tokens by December 9 to enhance security.

The attack highlights vulnerabilities in open-source ecosystems, where a single compromised package can affect thousands of dependent projects. Aikido Security's Eriksen noted that the "scope is frankly massive," with implications for both crypto infrastructure and broader software development.

author avatar
Coin World

Quickly understand the history and background of various well-known coins

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.