UPDATE: All affected npm package versions have been removed, and it appears there were zero downloads of these compromised versions. Our investigation found that the malicious script originated from a separate project, unrelated to ENS Labs’ core code. This project ran a postinstall script for a PostHog dependency that contained the Shai Hulud malware. The impacted development environment was disconnected, and all publishing credentials are being rotated. We are also strengthening our repositories and deployment procedures to further reduce the likelihood of future supply chain attacks.(ens.eth)