@ensdomains
We have identified that certain npm packages starting with @ensdomains published around 5:49am UTC today may be affected by a Sha1-Hulud supply-chain attack that has compromised over 400 NPM libraries, including several ENS packages.
The team has updated all latest tags and is proceeding with key rotations and currently attempting to unpublish all impacted versions.
USERS: Current reviews indicate that ENS Labs-operated websites, including app.ens.domains, have not shown signs of impact related to this issue. At this time, there is no evidence that names have been affected.
DEVS: If you have not installed ENS packages within the past 11 hours [since 5:49am UTC on November 24, 2025], there is no indication you are affected.
If you have, please refer to the following link with a list of affected packages and install the latest version.
2 replies
6 recasts
22 reactions