Related News

Bitcoin’s loses $78k while the US markets sleeps – risk takes over from oil as crude prices stay flat

April 23, 2026
Kraken Prepares CFTC-Regulated Perpetual Futures Launch For US Traders

Kraken Prepares CFTC-Regulated Perpetual Futures Launch For US Traders

June 13, 2026
Pi Network News: Analyst Says Pi Will Never Hit $314,159; But There’s a Twist

Pi Network News: Analyst Says Pi Will Never Hit $314,159; But There’s a Twist

March 13, 2026

Browse by Category

  • Canadian news feed
  • Crypto
  • Faith
  • Geothermal
  • Golf news
  • Hockey news
  • Running & fitness
  • Skateboarding
  • Sports & Fitness
  • WeMaple news

Related News

Bitcoin’s loses $78k while the US markets sleeps – risk takes over from oil as crude prices stay flat

April 23, 2026
Kraken Prepares CFTC-Regulated Perpetual Futures Launch For US Traders

Kraken Prepares CFTC-Regulated Perpetual Futures Launch For US Traders

June 13, 2026
Pi Network News: Analyst Says Pi Will Never Hit $314,159; But There’s a Twist

Pi Network News: Analyst Says Pi Will Never Hit $314,159; But There’s a Twist

March 13, 2026

Browse by Category

  • Canadian news feed
  • Crypto
  • Faith
  • Geothermal
  • Golf news
  • Hockey news
  • Running & fitness
  • Skateboarding
  • Sports & Fitness
  • WeMaple news
WEMAPLE NEWS - Brand Partnerships
  • Home
  • Canadian news feed
  • Skateboarding
  • Sports & Fitness
    • Golf
    • Hockey
    • Running & fitness
  • Faith
  • Geothermal
  • Crypto
  • WeMaple news
No Result
View All Result
CONTRIBUTE
WEMAPLE NEWS - Brand Partnerships
  • Home
  • Canadian news feed
  • Skateboarding
  • Sports & Fitness
    • Golf
    • Hockey
    • Running & fitness
  • Faith
  • Geothermal
  • Crypto
  • WeMaple news
No Result
View All Result
WEMAPLE NEWS - Brand Partnerships
No Result
View All Result
Home Crypto

Malicious worm compromises crypto domains in supply-chain attack

WeMaple AI by WeMaple AI
November 25, 2025
in Crypto
0
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

On Nov. 24, security firm Aikido detected a second wave of the Shai-Hulud self-replicating npm worm, compromising 492 packages with a combined 132 million monthly downloads.

You might also like

Ripple CTO Emeritus Proposes XRPL Transaction Ordering Changes to Prevent Sandwich Attacks

Bitcoin Price Analysis (JULY): Why $58,500 Could Be the Last Quarterly Low

MemeCore (M) Price Rallies 70% as Broader Cryptocurrency Market Stabilizes

The attack struck major ecosystems, including AsyncAPI, PostHog, Postman, Zapier, and ENS, exploiting the final weeks before npm’s Dec. 9 deadline to revoke legacy authentication tokens.

Aikido’s triage queue flagged the intrusion around 3:16 AM UTC, as malicious versions of AsyncAPI’s go-template and 36 related packages began spreading across the registry.

The attacker labeled stolen-credential repositories with the description “Sha1-Hulud: The Second Coming,” maintaining theatrical branding from the September campaign.

The worm installs the Bun runtime during package setup, then executes malicious code that searches developer environments for exposed secrets using TruffleHog.

Compromised API keys, GitHub tokens, and npm credentials are published to randomly named public repositories, and the malware attempts to propagate by pushing new infected versions to up to 100 additional packages, five times the scale of the September attack.

Technical evolution and destructive payload

The November iteration introduces several modifications from the September attack.
The malware now creates repositories with randomly generated names for stolen data rather than using hardcoded names, complicating takedown efforts.

Setup code installs Bun via setup_bun.js before executing the primary payload in bun_environment.js, which contains the worm logic and credential-exfiltration routines.

The most destructive addition: if the malware cannot authenticate with GitHub or npm using stolen credentials, it wipes all files in the user’s home directory.

Aikido’s analysis revealed execution errors that limited the attack’s spread. The bundling code that copies the full worm into new packages sometimes fails to include bun_environment.js, leaving only the Bun installation script without the malicious payload.

Despite these failures, the initial compromises hit high-value targets with massive downstream exposure.

AsyncAPI packages dominated the first wave, with 36 compromised releases including @asyncapi/cli, @asyncapi/parser, and @asyncapi/generator.

PostHog followed at 4:11 AM UTC, with infected versions of posthog-js, posthog-node, and dozens of plugins. Postman packages arrived at 5:09 AM UTC.

The Zapier compromise affected @zapier/zapier-sdk, zapier-platform-cli, and zapier-platform-core, while the ENS compromise affected @ensdomains/ensjs, @ensdomains/ens-contracts, and ethereum-ens.

GitHub branch creation suggests repository-level access

The AsyncAPI team discovered a malicious branch in their CLI repository created immediately before the compromised packages appeared on npm.

The branch contained a deployed version of the Shai-Hulud malware, indicating the attacker gained write access to the repository itself rather than simply hijacking npm tokens.

This escalation mirrors the technique used in the original Nx compromise, in which attackers modified source repositories to inject malicious code into legitimate build pipelines.

Aikido estimates that 26,300 GitHub repositories now contain stolen credentials marked with the “Sha1-Hulud: The Second Coming” description.

The repositories contain secrets exposed by developer environments that ran the compromised packages, including cloud service credentials, CI/CD tokens, and authentication keys for third-party APIs.

The public nature of the leaks amplifies the damage: any attacker monitoring the repositories can harvest credentials in real time and launch secondary attacks.

Attack timing and mitigation

The timing coincides with npm’s Nov. 15 announcement that it will revoke classic authentication tokens on Dec. 9.

The attacker’s choice to launch a final large-scale campaign before the deadline suggests they recognized the window for token-based compromises was closing. Aikido’s timeline shows the first Shai-Hulud wave began Sept. 16.

The Nov. 24 “Second Coming” represents the attacker’s last opportunity to exploit legacy tokens before npm’s migration cuts off that access.

Aikido recommends that security teams audit all dependencies from affected ecosystems, particularly the Zapier, ENS, AsyncAPI, PostHog, and Postman packages installed or updated after Nov. 24.

Organizations should rotate all GitHub, npm, cloud, and CI/CD secrets used in environments where these packages were present, and search GitHub for repositories with the “Sha1-Hulud: The Second Coming” description to determine if internal credentials were exposed.

Disabling npm postinstall scripts in CI pipelines prevents future install-time execution, and pinning package versions with lock files limits exposure to newly compromised releases.

The post Malicious worm compromises crypto domains in supply-chain attack appeared first on CryptoSlate.

Read Entire Article
Tags: CryptoCryptoslate
Share30Tweet19
WeMaple AI

WeMaple AI

Recommended For You

Ripple CTO Emeritus Proposes XRPL Transaction Ordering Changes to Prevent Sandwich Attacks

by WeMaple AI
July 3, 2026
0
Ripple CTO Emeritus Proposes XRPL Transaction Ordering Changes to Prevent Sandwich Attacks

Ripple CTO Emeritus Proposes XRPL Transaction Ordering Changes to Prevent Sandwich Attacks — what the latest source material shows and why it matters

Read more

Bitcoin Price Analysis (JULY): Why $58,500 Could Be the Last Quarterly Low

by WeMaple AI
July 3, 2026
0
Bitcoin Price Analysis (JULY): Why $58,500 Could Be the Last Quarterly Low

The post Bitcoin Price Analysis (JULY): Why $58,500 Could Be the Last Quarterly Low appeared first on Coinpedia Fintech News Bitcoin recently closed at $58,500, its lowest point...

Read more

MemeCore (M) Price Rallies 70% as Broader Cryptocurrency Market Stabilizes

by WeMaple AI
July 3, 2026
0
MemeCore (M) Price Rallies 70% as Broader Cryptocurrency Market Stabilizes

MemeCore (M) Price Rallies 70% as Broader Cryptocurrency Market Stabilizes — what the latest source material shows and why it matters for crypto

Read more

Hollywood Director Sentenced to 30 Months After Spending $11M Netflix Budget on Dogecoin

by WeMaple AI
July 3, 2026
0
Hollywood Director Sentenced to 30 Months After Spending $11M Netflix Budget on Dogecoin

Hollywood Director Sentenced to 30 Months After Spending $11M Netflix Budget on Dogecoin — what the latest source material shows and why it matters

Read more

US Accounts for 96% of Global Bitcoin ATM Reductions in First Half of 2026

by WeMaple AI
July 3, 2026
0
US Accounts for 96% of Global Bitcoin ATM Reductions in First Half of 2026

US Accounts for 96% of Global Bitcoin ATM Reductions in First Half of 2026 — what the latest source material shows and why it matters for crypto

Read more
Next Post
Solana Nears $140 As Crypto Rotates Back to Risk: Could Maxi Doge Run Next?

Solana Nears $140 As Crypto Rotates Back to Risk: Could Maxi Doge Run Next?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related News

Bitcoin’s loses $78k while the US markets sleeps – risk takes over from oil as crude prices stay flat

April 23, 2026
Kraken Prepares CFTC-Regulated Perpetual Futures Launch For US Traders

Kraken Prepares CFTC-Regulated Perpetual Futures Launch For US Traders

June 13, 2026
Pi Network News: Analyst Says Pi Will Never Hit $314,159; But There’s a Twist

Pi Network News: Analyst Says Pi Will Never Hit $314,159; But There’s a Twist

March 13, 2026

Browse by Category

  • Canadian news feed
  • Crypto
  • Faith
  • Geothermal
  • Golf news
  • Hockey news
  • Running & fitness
  • Skateboarding
  • Sports & Fitness
  • WeMaple news
WEMAPLE NEWS – Brand Partnerships

Wemaple will be firmly committed to the public interest and democratic values.

CATEGORIES

  • Canadian news feed
  • Crypto
  • Faith
  • Geothermal
  • Golf news
  • Hockey news
  • Running & fitness
  • Skateboarding
  • Sports & Fitness
  • WeMaple news

BROWSE BY TAG

AZO Clean Tech Bitcoinist Bitcoinmagazine Canada News CBC.ca Celebrity News Christian Post CoinPedia Corporate Knights Crypto Cryptoslate Faith Geothermal Golf Hockey Lifehacker Ludwig-van.com NcrOnline newsbtc Skateboarding tomsguide.com Utah news dispatch

© 2025 wemaple.canadiana.news - all rights reserved. YYC TECH CONSULTING.

No Result
View All Result
  • Home
  • Canadian news feed
  • Skateboarding
  • Sports & Fitness
    • Golf
    • Hockey
    • Running & fitness
  • Faith
  • Geothermal
  • Crypto
  • WeMaple news

© 2025 wemaple.canadiana.news - all rights reserved. YYC TECH CONSULTING.