ensdomains-npm
ENS NPM Account Compromise (Shai Hulud V2)
The Sha1-Hulud "Second Coming" npm worm compromised many Ethereum Name Service packages, including @ensdomains/ensjs, @ensdomains/ens-contracts, @ensdomains/ens-validation, ethereum-ens, and supporting ENS libraries. Affected releases invoked Bun from a preinstall hook and ran an obfuscated payload that harvested GitHub, npm, cloud, and local secrets, exfiltrated them through public GitHub repositories, attempted npm propagation, registered a self-hosted GitHub Actions runner, and included destructive behavior on non-CI Linux hosts.
- Date
- 2025-11-23 to 2025-11-24
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Package
ensdomains-npm
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/ensdomains/ens-contracts
Compromised Versions
- @ensdomains/address-encoder@1.1.5
- @ensdomains/blacklist@1.0.1
- @ensdomains/buffer@0.1.2
- @ensdomains/ccip-read-cf-worker@0.0.4
- @ensdomains/ccip-read-dns-gateway@0.1.1
- @ensdomains/ccip-read-router@0.0.7
- @ensdomains/ccip-read-worker-viem@0.0.4
- @ensdomains/content-hash@3.0.1
- @ensdomains/curvearithmetics@1.0.1
- @ensdomains/cypress-metamask@1.2.1
- @ensdomains/dnsprovejs@0.5.3
- @ensdomains/dnssec-oracle-anchors@0.0.2
- @ensdomains/dnssecoraclejs@0.2.9
- @ensdomains/durin@0.1.2
- @ensdomains/durin-middleware@0.0.2
- @ensdomains/ens-archived-contracts@0.0.3
- @ensdomains/ens-avatar@1.0.4
- @ensdomains/ens-contracts@1.6.1
- @ensdomains/ens-test-env@1.0.2
- @ensdomains/ens-validation@0.1.1
- @ensdomains/ensjs@4.0.3
- @ensdomains/ensjs-react@0.0.5
- @ensdomains/eth-ens-namehash@2.0.16
- @ensdomains/hackathon-registrar@1.0.5
- @ensdomains/hardhat-chai-matchers-viem@0.1.15
- @ensdomains/hardhat-toolbox-viem-extended@0.0.6
- @ensdomains/mock@2.1.52
- @ensdomains/name-wrapper@1.0.1
- @ensdomains/offchain-resolver-contracts@0.2.2
- @ensdomains/op-resolver-contracts@0.0.2
- @ensdomains/react-ens-address@0.0.32
- @ensdomains/renewal@0.0.13
- @ensdomains/renewal-widget@0.1.10
- @ensdomains/reverse-records@1.0.1
- @ensdomains/server-analytics@0.0.2
- @ensdomains/solsha1@0.0.4
- @ensdomains/subdomain-registrar@0.2.4
- @ensdomains/test-utils@1.3.1
- @ensdomains/thorin@0.6.51
- @ensdomains/ui@3.4.6
- @ensdomains/unicode-confusables@0.1.1
- @ensdomains/unruggable-gateways@0.0.3
- @ensdomains/vite-plugin-i18next-loader@4.0.4
- @ensdomains/web3modal@1.10.2
- ethereum-ens@0.8.1
Incident Context
- Motive
- Credential Theft
- Attribution
- Third Party
- Transitive
- No
- User Impact
- 0
- Observed Duration
- 1 days
External References
Source Data
Source record: oss/ensdomains-npm/meta.yaml