"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

Sept. 18, 2025, 7:26 a.m.

Description

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials, exfiltrating data, and automatically propagating itself through compromised developer accounts. The attack likely originated from a phishing campaign spoofing npm. The malware scans for sensitive credentials, including npm tokens and cloud service API keys, and publicly exposes them on GitHub. This attack represents a significant evolution in supply chain threats, potentially leading to cloud service compromises, data theft, and lateral movement within networks.

External References

https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
https://unit42.paloaltonetworks.com/wp-content/uploads/2025/09/06_Malware_Category_1920x900.jpg
https://otx.alienvault.com/pulse/68cb5d39b043cd92b8527cff
Tags
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18

Date

  • Created: Sept. 18, 2025, 1:15 a.m.
  • Published: Sept. 18, 2025, 1:15 a.m.
  • Modified: Sept. 18, 2025, 7:26 a.m.

Indicators

  • https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
Download all indicators here!

Attack Patterns

  • Shai-Hulud