Executive Summary
A significant escalation in npm supply chain threats has emerged following the leak of the Shai-Hulud malware source code. This advanced infostealer, previously attributed to the TeamPCP hacker group, is now fueling a new campaign that targets the npm ecosystem with malicious packages. Attackers are leveraging typosquatting and compromised maintainer accounts to distribute trojanized packages, which, once installed, exfiltrate sensitive developer and cloud credentials, secrets, and cryptocurrency wallet data. The campaign also introduces persistent backdoors and DDoS botnet capabilities, amplifying the risk to organizations relying on open-source JavaScript dependencies. The blast radius is extensive, with over 25,000 GitHub repositories and hundreds of npm packages affected, impacting major projects and organizations globally. This report provides a comprehensive technical analysis, threat actor profiling, exploitation details, victimology, and actionable mitigation strategies to help organizations defend against this evolving threat.
Threat Actor Profile
The original Shai-Hulud malware has been linked to the TeamPCP hacker group, known for sophisticated supply chain attacks and credential theft operations. However, the current npm infostealer campaign appears to be orchestrated by copycat actors who have weaponized the leaked, non-obfuscated Shai-Hulud source code. These actors demonstrate a high level of technical proficiency in supply chain compromise, leveraging both typosquatting and account takeover techniques to maximize distribution. The campaign is characterized by opportunistic targeting, rapid propagation, and the use of public infrastructure (notably GitHub repositories) for exfiltration and persistence. No confirmed nation-state or advanced persistent threat (APT) attribution has been established for this wave, but the tactics, techniques, and procedures (TTPs) align with financially motivated cybercriminals seeking to monetize stolen credentials and access.
Technical Analysis of Malware/TTPs
The attack vector centers on malicious npm packages, including but not limited to chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages are distributed via typosquatting—registering names similar to popular packages such as axios—and through compromised maintainer accounts. Upon installation, the malware executes during the preinstall lifecycle phase, ensuring execution on both developer workstations and CI/CD environments.
The core payloads, such as setup_bun.js and bun_environment.js, are responsible for harvesting a wide array of secrets. These include GitHub tokens, AWS, GCP, and Azure credentials, SSH keys, and cryptocurrency wallet data. The malware scans environment variables, configuration files, and cloud metadata endpoints to maximize credential theft. Exfiltration is achieved via HTTP POST requests to attacker-controlled GitHub repositories, often publishing one victim’s secrets into another’s repository to obfuscate attribution and complicate incident response.
A notable innovation in this campaign is the deployment of persistent backdoors through GitHub Actions workflows. The malware creates or modifies .github/workflows/discussion.yaml files, registering infected machines as self-hosted runners and enabling remote code execution via GitHub Discussions. This persistence mechanism allows attackers to maintain access even after initial remediation steps.
Some variants, particularly axois-utils, incorporate DDoS botnet functionality, enabling HTTP, TCP, and UDP flood attacks, as well as TCP reset attacks. The malware references a “phantom bot” architecture, conscripting infected systems into a distributed attack network.
The codebase is a near-exact copy of the leaked Shai-Hulud source, with minimal to no obfuscation, suggesting rapid weaponization by actors outside the original TeamPCP group.
Exploitation in the Wild
The campaign has been active since at least November 2025, with ongoing discovery of new malicious packages and compromised repositories. Over 25,000 GitHub repositories and approximately 700 npm packages have been identified as affected, with a combined download count in the thousands before removal. Major projects impacted include Zapier, ENS Domains, PostHog, Postman, and AsyncAPI, among others.
Infected systems have been observed exfiltrating credentials to attacker-controlled GitHub repositories and participating in DDoS attacks. The use of public GitHub infrastructure for exfiltration and persistence increases the risk of further supply chain compromise, as stolen credentials can be leveraged to attack downstream dependencies and organizations.
GitHub and npm have responded by revoking compromised tokens, removing malicious repositories, and notifying affected users. However, the scale and sophistication of the campaign mean that many organizations may remain unaware of latent infections or credential exposure.
Victimology and Targeting
The targeting is broad and opportunistic, affecting organizations and developers who rely on the npm ecosystem for JavaScript and Node.js development. The campaign exploits the widespread use of open-source dependencies and the prevalence of automated CI/CD pipelines, which often run with elevated privileges and access to sensitive secrets.
Victims include individual developers, open-source projects, and large enterprises. Notably, the attack has impacted high-profile projects such as @postman/tunnel-agent, posthog-node, @asyncapi/specs, posthog-js, get-them-args, shell-exec, kill-port, @zapier/ai-actions, @zapier/zapier-sdk, @ensdomains/ensjs, and @voiceflow/api-sdk. The full list of affected packages and versions is maintained by Wiz Research and is available in their public IOC repository.
The campaign’s use of cross-victim exfiltration—publishing one victim’s secrets in another’s repository—complicates attribution and increases the risk of cascading supply chain attacks.
Mitigation and Countermeasures
Organizations should take immediate and comprehensive action to mitigate the risk posed by the Shai-Hulud npm infostealer campaign. All environments should be audited for the presence of known malicious packages, including chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils, and any packages listed in the Wiz IOC CSV. Remove and replace any compromised packages, and roll back to known clean versions, ideally those published before November 21, 2025.
All credentials, including npm tokens, GitHub personal access tokens, SSH keys, and cloud provider credentials, must be rotated immediately. Audit for unauthorized GitHub repository creation and suspicious workflow files, particularly those referencing “Shai-Hulud” or containing .github/workflows/discussion.yaml.
Restrict or disable npm lifecycle scripts (preinstall/postinstall) in CI/CD environments to prevent automatic execution of malicious code. Monitor for network connections to known C2 infrastructure, such as 87e0bbc636999b[.]lhr[.]life, and for anomalous traffic to public GitHub repositories.
Implement dependency pinning and use software composition analysis tools to detect unauthorized changes or typosquatting in your dependency tree. Regularly review and update your organization’s incident response playbooks to address supply chain threats and credential exposure.
For a full, authoritative list of affected packages and hashes, refer to the Wiz IOC Repository.
References
BleepingComputer: Leaked Shai-Hulud malware fuels new npm infostealer campaign, Wiz Blog: Shai-Hulud 2.0 Supply Chain Attack, Wiz IOC Repository (CSV of affected packages): https://github.com/wiz-sec-public/wiz-research-iocs/, Aikido Blogpost: Shai-Hulud Strikes Again, Step Security Blogpost: Ctrl-TinyColor and 40+ npm Packages Compromised, MITRE ATT&CK: Supply Chain Compromise, Reddit: InfoSecNews thread, Palo Alto Networks Unit42: npm Supply Chain Attack
About Rescana
Rescana empowers organizations to proactively manage third-party risk and supply chain security through our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessment, and actionable intelligence to help you identify and mitigate threats across your digital ecosystem. For questions or incident response support, we are happy to assist at ops@rescana.com.
