Key Notes
- Malicious code injected into @ensdomains packages between Nov 21-23 targeted developer credentials across GitHub, npm and cloud services.
- The attack spread through compromised maintainer accounts, automatically executing during standard installation commands.
- Affected packages include gate-evm-check-code2, create-hardhat3-app, ethereum-ens, and over 40 @ensdomains scope libraries.
Ethereum Name Service ENS $11.61 24h volatility: 4.0% Market cap: $439.48 M Vol. 24h: $72.23 M software packages were compromised in a supply chain cyberattack affecting over 400 code libraries on npm, a platform where developers share and download software tools. ENS Labs said user assets and domain names appear unaffected.
The team detected that packages starting with @ensdomains were affected around 5:49 a.m. UTC on Nov. 24 and has since updated package versions while changing security credentials, according to ENS Labs . ENS-operated websites including app.ens.domains showed no signs of impact.
We have identified that certain npm packages starting with @ensdomains published around 5:49am UTC today may be affected by a Sha1-Hulud supply-chain attack that has compromised over 400 NPM libraries, including several ENS packages.
The team has updated all latest tags and is…
— ens.eth (@ensdomains) November 24, 2025
The attack also compromised packages from Zapier, PostHog, Postman and AsyncAPI, according to Aikido Security , which first detected the campaign on Nov. 24.
Crypto Packages Among Victims
Several blockchain development libraries were caught in the broad attack. Affected packages include gate-evm-check-code2 and evm-checkcode-cli used for smart contract bytecode verification, create-hardhat3-app for Ethereum ETH $2 964 24h volatility: 4.8% Market cap: $357.84 B Vol. 24h: $32.76 B project scaffolding, and coinmarketcap-api for price data integration.
Other crypto libraries affected include ethereum-ens and crypto-addr-codec, which handles cryptocurrency address encoding. Over 40 packages within the @ensdomains scope were compromised.
The incident echoes a backdoor discovered in XRP Ledger packages in April, where malicious code was injected into xrpl.js to steal private keys.
How the Attack Works
Malicious packages were uploaded to npm between Nov. 21-23. The malware propagates by compromising maintainer accounts and injecting code into their packages. It executes automatically when developers run standard installation commands.
The malware collects developer passwords and access tokens from GitHub, npm and major cloud services. It publishes stolen data to public GitHub repositories and creates hidden access points on infected machines for future attacks.
A GitHub search shows 26,300 repositories now contain stolen credentials, spread across roughly 350 compromised accounts. The number continues to grow as the attack remains active.
Koi Security researchers discovered an additional threat. If the malware cannot steal credentials or send data out, it erases all files in the user’s home directory.
Developer Response
ENS Labs stated that developers who have not installed ENS packages within 11 hours of the 5:49 a.m. UTC detection are likely unaffected. Those who installed during that window should delete their node_modules folders, clear npm cache and change all credentials.
The incident follows a series of crypto security breaches that have tested infrastructure projects this year. GitHub is actively removing attacker-created repositories, though new ones continue to appear.
next
