New NPM Supply Chain Hack Threatens ENS and Cryptocurrency Security

Major Supply-Chain Attack Targets Crypto-Related Software Packages

A significant JavaScript supply-chain attack has compromised over 400 software packages, including at least 10 heavily used within the cryptocurrency ecosystem. The breach was uncovered by cybersecurity firm Aikido Security, highlighting the evolving threat landscape faced by developers and users alike.

In a detailed blog post, researcher Charlie Eriksen outlined the scope of the infection, identifying packages infected with the “Shai Hulud” malware—an autonomous, self-replicating strain designed to spread across developer environments. Eriksen confirmed the validity of each detection to prevent false positives. Many of these packages are responsible for critical functions, with some receiving tens of thousands of weekly downloads, emphasizing the widespread potential impact.

Of particular concern are the affected packages associated with the Ethereum Name Service (ENS), which facilitate human-readable blockchain addresses. Notable among these are ENS's content-hash, with nearly 36,000 weekly downloads, and address-encoder, with over 37,500 weekly downloads. Other ENS packages, such as ensjs, ens-validation, ethereum-ens, and ens-contracts, are also compromised. A separate package, crypto-addr-codec, unrelated to ENS, with nearly 35,000 weekly downloads, was also affected.

This incident is part of a broader trend of supply-chain attacks. In September, the largest NPM attack to date resulted in approximately $50 million stolen from crypto assets. Amazon Web Services highlighted that this incident was followed by the spread of the Shai-Hulud worm, which replicated itself across environments post-initial breach.

Unlike previous targeted thefts, Shai Hulud primarily acts as a credential-stealer, spreading autonomously and harvesting wallet keys and other secrets stored within infected environments. This capability poses a significant threat to the security of blockchain assets if such secrets are stored insecurely.

Scope of the Affected Packages

Among the impacted packages, at least 10 are directly related to cryptocurrency functions, predominantly tied to the ENS ecosystem. Packages such as content-hash, with nearly 36,000 weekly downloads, and address-encoder, exceeding 37,500 downloads, are critical components used by developers to handle address and name resolution. Other key packages affected include ensjs, ens-validation, ethereum-ens, and ens-contracts.

Beyond crypto, several non-crypto packages are compromised, including popular tools from Zapier, like @zapier/secret-scrubber, with over 40,000 weekly downloads. Eriksen warned that affected packages with high download volumes, some approaching 70,000 weekly downloads, underscore the widespread reach of the malware.

Researchers from Wiz estimate that over 25,000 repositories across hundreds of users have been impacted, with new compromised repositories added every 30 minutes. The cybersecurity community urges immediate investigations and remediation efforts for any environment utilizing npm packages.

https://www.cryptobreaking.com/new-npm-supply-chain-hack/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=New%20NPM%20Supply%20Chain%20Hack%20Threatens%20ENS%20and%20Cryptocurrency%20Security%20

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...

Analyst: Bitcoin can reclaim $100K without a new narrative

Bitcoin has stalled below the $100,000 threshold, marking a run of almost five months without a breakout above that level. As of the latest market close, BTC hovered around $78,250 after a February nadir of about $60,000, underscoring a slow, grinding recovery amid broader market dynamics. In parallel, tech markets—especially AI-focused equities—have captured the spotlight, with investors rotating capital away from crypto in search of different risk-reward profiles. Nvidia (NVDA), the leading AI stock by market cap, has gained about 5.08% since the start of the year, while Bitcoin has faced a roughly 10% dip over the same period, illustrating a diverging performance within risk assets. MN Trading Capital founder Michael van de Poppe suggested that Bitcoin may not require a fresh narrative to push back above $100,000. In a post on X, he asked what narrative would drive BTC to the milestone and concluded that “price moves upwards, and the narrative will create itself.” He continued that ...

Search This Blog