Beginning on September 14, 2025, and accelerating over the next two days, attackers launched a large-scale supply-chain attack against the npm ecosystem. The campaign injected post-install malware into dozens of packages, enabling credential theft (GitHub, npm, cloud keys), planting malicious GitHub Actions workflows, and exfiltrating secrets to attacker-controlled repos labeled “Shai-Hulud.”
Using stolen npm tokens, the malware then self-propagated by publishing trojanized updates across additional packages. To date, more than 180 packages have been compromised, including several briefly associated with CrowdStrike’s open-source projects before removal.
This is the first widely-observed self-replicating “worm” in the npm ecosystem, and remains ongoing. Treat any developer machine or build agent that installed affected versions as potentially compromised.
How the “Worm” Spreads
- Malware delivery: A trojanized npm release installs normally but runs a hidden bundle.js during postinstall.
- Reconnaissance & credential harvesting: bundle.js executes TruffleHog and custom scanners to locate GITHUB_TOKEN, NPM_TOKEN, AWS_* keys and other secrets on the host.
- Cloud metadata probing: When running in CI or cloud build agents, the payload queries instance metadata endpoints to capture short-lived credentials.
- Persistence via CI workflows: The malware writes a workflow (e.g., shai-hulud.yaml) into .github/workflows, enabling exfiltration to run inside pipelines where secrets and artifacts are available.
- Worm-like propagation: Validated npm tokens are used to publish trojanized updates to other packages owned by the maintainer, spreading the same post-install payload to downstream consumers.
MITRE Mapping
| Tactic | Technique |
| Initial Access | T1195 Supply Chain Compromise |
| Credential Access | T1552 Unsecured Credentials; T1555 – Credentials from Password Stores |
| Persistence | T1546 Event-Triggered Execution (via GitHub Actions workflows) |
| Exfiltration | T1041 Exfiltration over C2 Channel |
| Lateral Movement | T1078 Valid Accounts (npm tokens) |
Indicators of Compromise (IOCs)
| Category | Indicators |
| Malicious Files | bundle.js (post-install payload) SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 |
| Exfiltration Endpoints | hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 |
| Malware Hashes | de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 |
| GitHub Artifacts | – Repos titled “Shai-Hulud” or “Shai-Hulud Migration” – Workflow files named shai-hulud.yaml or shai-hulud-workflow.yml – Branches named shai-hulud containing .github/workflows/* |
| Compromised Packages (Examples) | – @ctrl/tinycolor@4.1.1–4.1.2 – angulartics2@14.1.2 – ngx-toastr@19.0.2 – koa2-swagger-ui@5.11.1–5.11.2 – Multiple @crowdstrike/* packages (e.g., @crowdstrike/foundry-js, @crowdstrike/glide-core, eslint-config-crowdstrike) – Several @nativescript-community/* packages |
Mitigation
Organizations should treat any developer machine or CI runner that installed affected packages as compromised. Remove or pin malicious versions, rebuild environments from clean sources, and rotate all potentially exposed credentials, including GitHub PATs, npm tokens, cloud provider keys, and SSH keys.
Review repositories for unauthorized workflows in .github/workflows (such as shai-hulud.yaml), delete any malicious additions, and restore pipelines from trusted commits.
To reduce future exposure, enforce MFA for npm publishing, replace long-lived tokens with short-lived or OIDC-based credentials, and store secrets in secure vaults rather than environment variables.
Continue monitoring for indicators of compromise such as unusual npm publish activity, new repos or branches labeled “Shai-Hulud,” or outbound connections to the attacker’s webhook endpoint.
Threat Hunting Tips
Threat hunters should focus on behaviors tied to npm installs, CI/CD pipelines, and GitHub repositories. Priority signals include:
Audit dependency files:
Review package-lock.json, yarn.lock, and build logs to confirm whether compromised versions were ever pulled into your environment.
Check for malicious artifacts:
Search repositories for unauthorized workflow files in .github/workflows (e.g., shai-hulud.yaml) or unexpected repos/branches labeled “Shai-Hulud” or “Shai-Hulud Migration.”
Monitor process activity:
Flag unusual executions of node.exe spawning scanning tools like TruffleHog, or processes reading large portions of the filesystem.
Watch for outbound connections:
Hunt for network traffic to webhook[.]site (particularly UUID-specific endpoints linked to this campaign) and to cloud metadata services (169.254.169.254).
Leverage malware hashes:
Search across your EDR/SIEM for known payload hashes, especially:
- 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 (bundle.js)
- de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
- 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
- 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
- 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
- dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
- b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777
OP Innovate Actions
We are actively monitoring the impact of this campaign in our client environments and providing guidance to help them audit dependencies, rotate credentials, and remove backdoors from their repositories.
If your organization relies on npm packages and you are concerned about potential exposure, please contact OP Innovate’s Incident Response Team for immediate support.
