Self-replicating worm reveals vulnerabilities in open-source cryptocurrency security

Bitget App

Trade smarter

Bitget

News

Markets

Self-replicating worm reveals vulnerabilities in open-source cryptocurrency security

Bitget-RWA2025/11/24 15:04

By:Bitget-RWA

- Aikido Security discovered a self-replicating worm called Shai Hulud infecting 400+ npm packages, including critical crypto tools like ENS-related libraries. - The malware autonomously steals credentials from 25,000+ repositories, with one infected package having 1.5 million weekly downloads. - Security experts urge immediate mitigation: clear npm caches, rotate credentials, and revoke classic tokens by December 9. - The attack exposes systemic vulnerabilities in open-source ecosystems, threatening both

An extensive JavaScript supply-chain attack has compromised hundreds of software packages, including at least 10 that are heavily relied upon in the cryptocurrency sector,

based on findings from cybersecurity company Aikido Security

. This campaign, named "Shai Hulud," utilizes a self-propagating worm to infect npm packages and extract credentials, which may include sensitive crypto wallet information.

Aikido Security researcher Charlie Eriksen discovered

more than 400 packages exhibiting evidence of infection, many of which are associated with the

Ethereum Name Service

(ENS), a vital service for user-friendly crypto addresses.

This malicious software autonomously spreads through developer environments, collecting confidential data and uploading it to the affected users' GitHub repositories.

According to Wiz researchers, over 25,000 repositories

were breached within just three days of the most recent attack, with new infections occurring at a pace of 1,000 every half hour.

This incident builds upon a security breach from September 2025

that resulted in $50 million in crypto theft, but Shai Hulud is more expansive, aiming at general credentials rather than directly targeting digital assets.

Self-replicating worm reveals vulnerabilities in open-source cryptocurrency security image 0

Some of the impacted packages include ENS-related utilities like `ensjs` (over 30,000 downloads per week), `ethereum-ens` (more than 12,650 downloads), and `ens-contracts` (over 3,100 downloads), along with non-crypto packages from services such as Zapier.

The magnitude of this compromise is significant

: a single infected package was downloaded upwards of 1.5 million times each week.

Aikido Security cautioned

that unless developers act swiftly, the attack could lead to exposure of private repositories and further proliferation.

Experts in cybersecurity stress the need for immediate countermeasures.

Wiz advised developers to clear npm caches

, revert to versions prior to November 21, and update all credentials. GitHub is in the process of removing compromised repositories, but the worm's rapid distribution complicates remediation.

The npm registry has also stated

that all classic tokens will be invalidated by December 9 as a security measure.

This incident exposes the risks inherent in open-source software, where a single tainted package can jeopardize thousands of dependent projects.

Eriksen from Aikido Security remarked

that the "scale is truly enormous," affecting not only crypto infrastructure but the wider software development landscape as well.

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Earn new token airdrops

Lock your assets and earn 10%+ APR

Lock now!