NPM Supply Chain Attack: Shai-Hulud Worm Compromises 500+ Packages

Executive Summary

The NPM ecosystem is currently under attack from one of the most sophisticated and dangerous supply chain campaigns to date — dubbed Shai-Hulud. This marks the first-ever self-replicating worm in the NPM environment, impacting over 500 packages with millions of weekly downloads.

Unlike traditional supply chain attacks, Shai-Hulud exhibits autonomous worm-like behavior, capable of self-propagating across packages and stealing sensitive credentials without human intervention. This threat highlights an alarming evolution in software supply chain compromise techniques.

Attack Timeline

The campaign began on September 14, 2025, with the compromise of the package [email protected]. From there, the attackers escalated their efforts through phishing campaigns targeting NPM maintainers, injecting malicious payloads into widely used packages.

Key Events:

• September 14, 2025: First compromised package published
• September 15, 2025: Public disclosure of the attack
• September 16, 2025: Over 180 packages compromised
• September 18, 2025: Over 500 packages confirmed impacted

Attack Vector

Attackers executed a targeted phishing campaign masquerading as NPM security alerts to compromise maintainers’ credentials. Once access was gained, malicious payloads were injected using the postinstall lifecycle hook, ensuring automatic execution upon installation of infected packages.

Key Characteristics of the Shai-Hulud Worm

Self-Propagation:
 The worm uses the NpmModule.updatePackage function to download, modify, and re-publish infected packages.

Autonomous Execution:
 The attack uses legitimate tools (e.g., TruffleHog, GitHub APIs) to operate independently once deployed.

Multi-Stage Payload:
 The payload (~3.6MB bundle.js file) contains credential theft, GitHub Actions injection, repository cloning, and worm replication.

Immediate Impact

Credential Theft

Harvested secrets include:

• NPM publishing tokens
• GitHub personal access tokens
• AWS access keys
• Google Cloud credentials
• SSH private keys
• Cryptocurrency wallet data

Repository Compromise

Malicious code performed the following actions:

• Created public GitHub repos named “Shai-Hulud” with exposed secrets
• Cloned private repos and made them public
• Injected GitHub Actions workflows for persistent backdoor access

What You Should Do

1. Audit Dependencies

• Scan package-lock.json, pnpm-lock.yaml, and yarn.lock for affected packages
• Check internal registries for known malicious versions
• Use IOCs (below) to detect infection

2. Rotate All Credentials

• Immediately rotate all NPM, GitHub, and cloud provider tokens
• Replace CI/CD pipeline secrets
• Revoke and re-issue API keys

3. Quarantine Compromised Systems

• Isolate affected developer machines and environments
• Suspend auto-update tools until full remediation
• Disable infected packages in build pipelines

4. Monitor Network Activity

• Block connections to webhook.site
• Monitor outbound traffic to known C2 endpoints
• Segment developer and CI/CD networks

5. Repository & Workflow Review

• Search for public repos named “Shai-Hulud”
• Investigate visibility changes in private repositories
• Audit GitHub Actions workflows for suspicious automation

6. File & Behavior Scanning

• Search for bundle.js and “postinstall”: “node bundle.js” entries
• Monitor for unexpected TruffleHog scans
• Deploy EDR rules to detect postinstall execution and data exfiltration

Malware Capabilities

• Repository Cloning: Converts private repos into public ones while preserving full commit history.
• Workflow Injection: GitHub Actions workflows serialize and exfiltrate secrets using attacker-controlled endpoints.
• Cloud Enumeration: Interfaces with AWS Secrets Manager and GCP Secrets API to extract cloud credentials.

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

• de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
• 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
• dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
• 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
• b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777

Network Indicators

• Primary C2: webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
• Defanged: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

File & Pattern Indicators

• bundle.js in root package directory
• postinstall script in package.json
• GitHub workflows named shai-hulud-workflow.yml
• Repositories with the term “Shai-Hulud”
• Files named data.json with double base64 encoding

Behavioral Indicators

• Spike in npm publish activity from single user accounts
• TruffleHog scans originating from dev environments
• Outbound POST requests to webhook.site
• Sudden creation of public repos containing encoded data

Important Clarification: High-Profile Packages Affected

While over 500+ packages have been compromised, it’s important to note that this campaign is not limited to obscure or low-traffic libraries.
 Among the compromised packages are popular, trusted, and widely used dependencies, including:

• @ctrl/tinycolor — a package with millions of downloads per week
• NPM packages maintained under the CrowdStrike namespace
• Additional packages likely embedded within critical CI/CD pipelines and internal tooling

This highlights the severity of the threat: attackers have not just targeted long-tail packages, but have successfully compromised packages from respected vendors and maintainers.
 These were infected via phishing attacks against developers with valid publishing credentials, enabling malicious versions to be published under trusted names.

As a result, organizations must not assume safety based on a package’s popularity, brand recognition, or historical trustworthiness.
 All dependencies must be treated as potential attack vectors unless verified through proper scanning and auditing.

Monday, September 23

GitHub announced upcoming changes to its authentication and publishing mechanisms in response to a wave of supply chain attacks targeting the npm ecosystem—most notably the recent Shai-Hulud attack.

To better secure the npm registry and protect against token abuse and self-replicating malware, GitHub is introducing several key updates:

• Trusted Publishing: Allows secure publishing of npm packages directly from CI/CD workflows using OpenID Connect (OIDC). This removes the need for long-lived npm tokens and instead uses short-lived, workflow-specific credentials that are non-reusable and non-exfiltratable.
• Provenance Attestations: The npm CLI will automatically generate and publish cryptographic proofs of the package’s origin and build environment. This enables consumers to verify where and how a package was built, significantly increasing trust in the software supply chain.

As part of the rollout, GitHub will also implement the following changes:

• Deprecate legacy classic tokens.
• Deprecate TOTP-based 2FA, migrating users to FIDO-based 2FA.
• Limit granular tokens with publishing permissions to a 7-day expiration.
• Disallow publishing tokens by default, encouraging use of trusted publishing or local publishing with enforced 2FA.
• Remove the option to bypass 2FA for local publishing.
• Expand support for additional CI/CD providers under trusted publishing.

These actions follow the discovery of the Shai-Hulud worm, which infected hundreds of npm packages. The malware was capable of self-replication and exfiltration of developer secrets, posing a significant risk to the ecosystem.

“By combining self-replication with the capability to steal multiple types of secrets (and not just npm tokens), this worm could have enabled an endless stream of attacks had it not been for timely action from GitHub and open source maintainers,” said Xavier René-Corail, GitHub.

How VerSprite Can Help

This attack underscores the critical need for proactive, real-time, and AI-powered security operations — all of which are core to VerSprite’s Cyber Defense offerings.

Based on this threat scenario, here’s how VerSprite helps secure your environment:

Managed Detection & Response (MDR) / vSOC Services

• 24/7 monitoring of package dependencies, cloud activity, and endpoint telemetry
• AI-powered behavioral analysis to detect credential misuse and package anomalies
• Real-time alerting and incident response coordination for fast containment

Threat Intelligence & OSINT Monitoring

• Continuous threat intelligence gathering on supply chain attacks and developer-focused threats
• Integration with OpenCTI and custom intelligence feeds to monitor GitHub, NPM, PyPI, and more
• IOCs and TTPs shared with clients for active defense and detection rule updates

Supply Chain Risk Advisory

• Vendor and open-source package security assessments
• Third-party breach monitoring to identify compromised repositories and dependencies
• Due diligence on development pipeline risks

Detection Engineering (DaaS, MITRE ATT&CK Mapping)

• Custom detection rule development for EDR, SIEM, and SOAR platforms
• Threat modeling and attack simulation (e.g., emulating Shai-Hulud behavior)
• Detection gap assessments using Caldera, Atomic Red Team, etc.

Security Automation (SOAR, SIEM Optimization)

• Automated workflows for credential rotation, repository monitoring, and IOC ingestion
• SOAR playbooks for supply chain incident response and GitHub workflow scanning
• Integration of alert triggers into Slack, Jira, PagerDuty, etc.

Incident Response & Digital Forensics

• Full IR support for credential theft, source code exfiltration, and CI/CD compromise
• Forensic analysis of malicious GitHub workflows, NPM scripts, and compromised endpoints
• Tabletop exercises to prepare for future open-source ecosystem attacks

Final Thoughts

The Shai-Hulud worm marks a turning point in how we view supply chain threats — this is no longer about a single compromised library, but autonomous malware that spreads on its own and exploits trust in development ecosystems.

Organizations must respond with the same level of sophistication attackers are using — blending automation, threat intelligence, and proactive defense.

VerSprite’s Cyber Defense Group is ready to help.
 Whether you’re looking to harden your development pipeline, respond to a breach, or gain visibility across your software supply chain, our team combines deep expertise, proven methodology, and modern AI-driven tooling to keep your business ahead of the threat curve.

→ Learn more:
 Explore VerSprite’s Cyber Defense Services

→ Need immediate help with threat detection or IR?
 Contact VerSprite