Inside the Shai-Hulud NPM Supply Chain Attack
This blog breaks down the recent NPM supply chain attack, known as ‘Shai-Hulud,’ which compromised over 180 packages and exposed developer credentials worldwide and what developers and organizations should do to mitigate the risk.
Key Takeaways
- A coordinated supply chain attack has targeted the NPM ecosystem, compromising over 180 packages, including popular libraries such as tinycolor.
- The attack was the first widely observed self-replicating “worm” in the NPM ecosystem, spreading automatically across maintainer accounts and dependent packages.
- The malicious code used open-source scanning tools, such as TruffleHog, to steal cloud credentials, GitHub tokens, and NPM publishing tokens from developer environments.
- Attackers have been reported to leverage previously stolen GitHub tokens from an earlier campaign to poison additional packages and escalate the attack.
- Developers and organizations worldwide were affected, especially those who installed or updated impacted packages during the attack window.
- Security vendors and the NPM registry acted quickly to remove compromised packages and publish advisories, but affected systems should be considered compromised.
Recommendations
- Audit all NPM dependencies for recent updates or suspicious changes.
- Remove and replace compromised packages immediately.
- Rotate credentials and secrets exposed to affected environments.
- Implement supply chain security controls, such as package signing and dependency monitoring.
Campaign Overview
A coordinated campaign targeted the NPM ecosystem, compromising more than 180 packages, including popular libraries such as tinycolor, and packages used by major vendors. This campaign targeted open-source JavaScript packages with millions of weekly downloads. The attack leveraged a sophisticated, worm-like malware payload that self-propagated across maintainer accounts and their dependent packages, creating a cascading compromise effect throughout the NPM registry.
The attackers injected malicious code into new releases of popular NPM packages. The payload was delivered via a hijacked “postinstall” script embedded in the compromised package.json file. Upon installation, the script executed a minified bundle.js file, which performed multiple operations.
- The malware used open-source tools, like TruffleHog, to scan local file systems and environment variables for high-entropy secrets, including AWS, Google Cloud platform, Azure credentials, GitHub tokens, and NPM publishing tokens.
- TruffleHog is an open-source security tool designed to scan code repositories, file systems, cloud assets, and CI/CD pipelines for sensitive information such as API keys, passwords, cryptographic secrets, and other credentials.
- Stolen credentials were validated and exfiltrated to attacker-controlled endpoints. The malware created public GitHub repositories named “Shai-Hulud” under victim accounts, uploading encoding JSON files containing harvested secrets and system information. Some reporting indicates that more than 700 repositories titled “Shai-Hulud” were identified.
- The malware established persistence by planting malicious GitHub Actions workflows in accessible repositories, enabling ongoing exfiltration of secrets during CI/CD pipeline executions.
- Validated NPM tokens allowed the malware to publish trojanized updates to other packages owned by the compromised maintainer, recursively infecting downstream packages and expanding the attack surface.
Developers and organizations who installed affected packages during the brief window before takedown were directly impacted. The attack also targeted CI/CD build agents and cloud environments, harvesting short-lived credentials via cloud metadata endpoints. End-users of applications built with compromised packages are indirectly at risk if those applications were constructed during the attack window.
This campaign represents a significant escalation in supply chain threats, combining credential harvesting, automated propagation, and CI/CD persistence. The payload evolved through multiple variants, with some versions making the “Shai-Hulud” repository private for defense evasion. Security vendors responded quickly by removing the compromised versions and publishing extensive advisories. However, the affected developer machines and build agents should be considered fully compromised and mitigation actions should be taken accordingly.
Attribution
At the time of writing (September 17, 2025), the incident is still under active investigation; however, some reports have linked this to a previous campaign, Nx, that occurred in August 2025. There is an even chance that these two campaigns were conducted by the same threat group.
Has Blackpoint Observed this Campaign?
Blackpoint consistently monitors and actions suspicious and malicious activity related to persistence and lateral movement. It should be noted that the purpose of this notice is to keep our client base informed and to suggest mitigations and proactive security checks.
Blackpoint is also closely monitoring this situation to ensure that our security teams have the most relevant and timely intelligence.
Indicators
A complete list of impacted packages can be found in the Socket blog.
Suspicious API Calls:
- AWS API calls to secretsmanager.*.amazonaws.com endpoints, particularly BatchGetSecretValueCommand
- GCP API calls to secretmanager.googleapis.com
- NPM registry queries to registry.npmjs.org/v1/search
- GitHub API calls to api.github.com/repos
Suspicious Process Executions
- TruffleHog execution with arguments filesystem /
- NPM publish commands with –force flag
- Curl commands targeting webhook.site domains
Other Indicators
- Malicious workflow file: .github/workflows/shai-hulud-workflow.yml
- Exfiltration endpoint: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
- Malicious file: bundle.js
- Bundle.js hashes
- de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
- 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
- 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
- 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
- dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
- 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
- b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777