Executive Summary

Between September 15 and September 23, 2025, a large-scale, self-propagating supply chain attack—publicly known as Shai-Hulud—compromised the npm JavaScript package registry. Over 46,000 fake and trojanized packages were published, with more than 500 legitimate packages confirmed as compromised, including widely used libraries such as @ctrl/tinycolor and @crowdstrike/commitlint. The attack leveraged a worm-like malware that harvested sensitive credentials, including GitHub Personal Access Tokens (PATs), AWS, GCP, and Azure API keys, and npm authentication tokens. These credentials were exfiltrated to attacker-controlled endpoints and public GitHub repositories, enabling further compromise and rapid, automated propagation across the npm ecosystem. The incident represents the first documented worm in the npm supply chain, with significant implications for software development, cloud infrastructure, and third-party integrations. All technical details and recommendations in this report are based on independently corroborated primary sources, including official advisories from CISA, Palo Alto Networks Unit 42, and StepSecurity.

Technical Information

The Shai-Hulud attack is a sophisticated, multi-stage supply chain compromise targeting the npm ecosystem. The initial access vector is believed to be a credential-harvesting phishing campaign that spoofed npm and prompted developers to update their multi-factor authentication (MFA) settings. Once a developer’s credentials were compromised, the attacker published malicious versions of legitimate packages to the npm registry using the victim’s account (Palo Alto Networks Unit 42, 2025-09-23; CISA, 2025-09-23).

The core of the attack is a worm-like malware, distributed as a minified bundle.js file (~3.6MB), which is executed via a hijacked postinstall script in the compromised package’s package.json. Upon installation, the malware scans the environment for sensitive credentials, including .npmrc files, environment variables, and configuration files. It specifically targets GitHub PATs, AWS, GCP, and Azure API keys, npm authentication tokens, SSH keys, and secrets stored in cloud secret managers (StepSecurity, 2025-09-15).

The malware uses open-source tools such as TruffleHog to search for high-entropy secrets and regular expressions to identify cloud keys (e.g., AKIA[0-9A-Z]{16} for AWS). It also dumps the entire process environment to capture transient tokens like GITHUB_TOKEN and AWS_ACCESS_KEY_ID. For cloud-specific operations, the malware enumerates secrets in AWS Secrets Manager and GCP Secret Manager using their respective SDKs.

Harvested credentials are aggregated into a JSON payload and exfiltrated to two primary destinations: a public GitHub repository named Shai-Hulud (created under the victim’s account using the GitHub API) and an external endpoint at https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (Palo Alto Networks Unit 42, 2025-09-23). The malware establishes persistence by injecting a malicious GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) via a base64-encoded bash script. This workflow triggers on push events and exfiltrates repository secrets using the ${{ toJSON(secrets) }} expression.

The worm’s self-propagation engine leverages the NpmModule.updatePackage function, which queries the npm registry API to identify up to 20 packages owned by the compromised maintainer. It then force-publishes new, trojanized versions of these packages, recursively infecting the maintainer’s entire package portfolio and, by extension, the broader npm ecosystem. This automated process enables exponential spread without direct actor intervention.

The attack is designed to execute on Linux and macOS environments, deliberately skipping Windows systems by checking the operating system platform. The malware’s codebase includes comments and emojis, leading analysts to assess with moderate confidence that a large language model (LLM) was used to assist in its development (Palo Alto Networks Unit 42, 2025-09-23).

The impact of the attack is severe. Stolen credentials can be used to compromise cloud services, leading to data theft, ransomware deployment, cryptomining, or deletion of production environments. Hijacked GitHub and npm tokens enable further supply chain attacks, privilege escalation, and phishing campaigns. The attack also poses significant regulatory and compliance risks if customer or production data is exfiltrated.

Technical mapping to the MITRE ATT&CK framework includes: - Initial Access: Supply Chain Compromise (T1195.002) - Execution: Command and Scripting Interpreter (T1059.003) - Credential Access: Credentials from Password Stores (T1555), Unsecured Credentials (T1552) - Persistence: Create or Modify System Process (T1543.003) - Lateral Movement: Use Alternate Authentication Material (T1550.001) - Exfiltration: Exfiltration Over Web Service (T1567.002) - Defense Evasion: Obfuscated Files or Information (T1027)

All technical claims are supported by primary evidence from malware analysis, official advisories, and direct observation of compromised packages and exfiltration endpoints.

Affected Versions & Timeline

The attack was first publicly analyzed by StepSecurity on September 15, 2025, confirming over 500 compromised packages, including @ctrl/tinycolor and @crowdstrike/commitlint (StepSecurity, 2025-09-15). On September 16, 2025, additional reports identified ongoing attacks targeting CrowdStrike npm packages. Palo Alto Networks Unit 42 updated their technical analysis on September 18-19, 2025, confirming worm-like propagation and credential harvesting (Palo Alto Networks Unit 42, 2025-09-23). CISA issued an official alert and remediation guidance on September 23, 2025 (CISA, 2025-09-23).

Affected package versions include, but are not limited to: @ctrl/tinycolor (4.1.1, 4.1.2), @crowdstrike/commitlint (8.1.1, 8.1.2), @nativescript-community/sqlite (3.5.2, 3.5.3, 3.5.4, 3.5.5), and hundreds more. The full list of affected packages is available in the StepSecurity technical analysis (StepSecurity, 2025-09-15).

The attack primarily impacts package versions published between September 15 and September 23, 2025. Organizations should consider all npm packages updated or published during this window as potentially at risk, especially if they are maintained by developers with a history of publishing multiple packages.

Threat Activity

The Shai-Hulud campaign is characterized by its automated, worm-like propagation and credential harvesting capabilities. The threat actor exploited compromised developer credentials to publish trojanized packages, which, when installed, executed a post-installation script to harvest secrets and propagate the malware further.

The malware’s propagation engine recursively infected all packages maintained by a compromised developer, leading to a cascading compromise effect across the npm registry. The attack targeted high-value credentials, including GitHub PATs, AWS, GCP, and Azure API keys, npm authentication tokens, and secrets stored in cloud secret managers. The malware established persistence by injecting a malicious GitHub Actions workflow, enabling ongoing exfiltration of repository secrets.

Exfiltrated credentials were uploaded to public GitHub repositories named Shai-Hulud and to the external endpoint https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7. The attack was designed to execute on Linux and macOS systems, skipping Windows environments.

The campaign’s scale and automation represent a significant escalation in supply chain attack techniques. The use of LLM-generated code, as evidenced by comments and emojis in the malware’s bash script, suggests a novel approach to malware development, though no direct attribution to a known threat actor has been established. The attack’s primary targets were software developers, organizations relying on npm packages for CI/CD pipelines, and cloud infrastructure providers.

Mitigation & Workarounds

The following mitigation steps are prioritized by severity:

Critical: Immediately rotate all developer credentials, including GitHub PATs, npm tokens, and all cloud API keys (for AWS, GCP, and Azure). Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms such as GitHub and npm (CISA, 2025-09-23).

Critical: Conduct a comprehensive dependency review of all software leveraging the npm package ecosystem. Use package-lock.json or yarn.lock files to identify affected packages, including those nested in dependency trees. Search for cached versions of affected dependencies in artifact repositories and dependency management tools.

High: Pin npm package dependency versions to known safe releases produced prior to September 16, 2025. Remove or quarantine all package versions published between September 15 and September 23, 2025, unless independently verified as safe.

High: Monitor for anomalous network behavior, including outbound connections to webhook.site domains and the creation of public GitHub repositories named Shai-Hulud. Block outbound connections to known exfiltration endpoints and monitor firewall logs for suspicious domains.

High: Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, auditing repository webhooks and secrets, enabling branch protection rules, and activating GitHub Secret Scanning alerts and Dependabot security updates.

Medium: Audit all GitHub Actions workflows for unauthorized or suspicious files, especially .github/workflows/shai-hulud-workflow.yml. Remove any unauthorized workflows and review commit histories for evidence of compromise.

Medium: Review and rotate all secrets stored in AWS Secrets Manager, GCP Secret Manager, and similar services. Audit access logs for unauthorized access or exfiltration events.

Low: Educate developers and DevOps teams on phishing risks, credential hygiene, and secure package publishing practices. Encourage the use of hardware security keys for MFA.

All mitigation steps should be implemented in coordination with incident response and security teams. Organizations should also consider engaging with third-party risk management platforms to continuously monitor for supply chain threats.

References

CISA: https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem

Palo Alto Networks Unit 42: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/

StepSecurity: https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor, assess, and respond to supply chain threats, including those affecting open-source software ecosystems such as npm. Our platform supports automated dependency analysis, credential exposure detection, and integration with incident response workflows to help organizations identify and mitigate risks from compromised third-party components.

For questions or further information, please contact us at ops@rescana.com.