Shai-Hulud worm infects npm packages

Sept. 25, 2025, 7:01 p.m.

Description

A self-propagating malware called Shai-Hulud has infected over 500 npm packages, including one with over two million weekly downloads. The worm steals sensitive data, exposes private repositories, and hijacks victim credentials to spread further. It executes when an infected package is installed, collecting system information and GitHub tokens. The malware exfiltrates secrets from repositories, migrates private repositories to public, and self-replicates by infecting the victim's most downloaded packages. Notable infected libraries include those from CrowdStrike. The infection started with ngx-bootstrap version 18.1.4. Prevention measures include using specialized solutions for monitoring open-source components and implementing comprehensive security systems.

External References

https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547
https://otx.alienvault.com/pulse/68d54d3a400fcca666cb3fe5
Tags
worm
data-theft
npm
github
supply-chain-attack
package-infection
shai-hulud
2025-09-25
self-propagating

Date

  • Created: Sept. 25, 2025, 2:10 p.m.
  • Published: Sept. 25, 2025, 2:10 p.m.
  • Modified: Sept. 25, 2025, 7:01 p.m.

Attack Patterns