ENS npm packages hit by Shai-Hulud

ENS was one of the largest package groups in the Sha1-Hulud "Second Coming" npm wave. The compromised scope included core ENS packages, support libraries, CCIP-read components, DNSSEC tooling, and the legacy ethereum-ens package.

The attack used the same basic shape as the broader Shai-Hulud family: compromised npm publishing access, malicious package releases, credential theft, and self-propagation through stolen tokens. ENS is modeled separately because the affected package set is large enough to matter on its own.

The impact was developer-side, not a direct compromise of ENS smart contracts. Affected packages could run during installation or use in build environments, putting npm tokens, GitHub tokens, and other developer credentials at risk.

This record keeps the package list explicit so downstream analysis can answer which ENS artifacts were affected. The campaign record holds the cross-package story; this attack records the ENS trust boundary and artifact scope.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

Third Party

• Zapier's npm account compromised in Sha1-Hulud attackcybersecuritynews.com
• Sha1-Hulud - The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromisedstepsecurity.io
• Sha1-Hulud - The Second Coming archived package liststepsecurity-public-media.s3.us-west-2.amazonaws.com