{
	"id": "4efa308e-3427-48b5-997f-214371e3b6bf",
	"created_at": "2026-04-06T00:10:26.222283Z",
	"updated_at": "2026-04-10T03:20:42.753881Z",
	"deleted_at": null,
	"sha1_hash": "77dc6aab4a779c5a3cba34f10b81e02a9397b397",
	"title": "Shai-Hulud npm supply chain attack: What you need to know | ReversingLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64555,
	"plain_text": "Shai-Hulud npm supply chain attack: What you need to know |\r\nReversingLabs\r\nBy Karlo Zanki, Reverse Engineer at ReversingLabsKarlo Zanki\r\nPublished: 2025-10-10 · Archived: 2026-04-05 19:22:33 UTC\r\nReversingLabs (RL) researchers detected a first of its kind self-replicating worm on the npm open-source registry\r\non September 15. The worm, named “Shai-hulud,” spreads through a cascading compromise of npm accounts that\r\ninserts the malicious worm code into legitimate public and private npm packages belonging to the compromised\r\ndeveloper.\r\nThe name “Shai-hulud” is taken from the open-source repository holding the malicious code. Fans of Frank\r\nHerbert's acclaimed \"Dune\" series will recognize the name of the giant sandworms native to the planet of Arrakis.\r\nMuch like its namesake, this npm worm is feasting on those that wander the deserts of modern, open-source\r\nsoftware development. Tokens, keys, and private repositories all get gobbled up by this malware behemoth.\r\nOnce infected by Shai-hulud, npm packages spawn attacks of their own by unknowingly allowing the worm to\r\nself-propagate through the packages they maintain. Given the large number of package inter-dependencies in the\r\nnpm ecosystem, it is difficult to predict who will get compromised next — and how far Shai-hulud could spread.\r\nAt the time of publishing, RL has identified hundreds of npm packages that have been compromised by the Shai-hulud malware. \r\nThis is a ongoing attack (see updated IOCs below), and it is apparent that the impact of the Shai-hulud malware\r\noutbreak will be large. RL has identified a number of popular packages that have been compromised, including\r\nngx-bootstrap (300k weekly downloads), ng2-file-upload (100k weekly downloads) and @ctrl/tinycolor (2.2M\r\nweekly downloads). Together, these packages account for millions of combined weekly downloads, making this a\r\nhigh-impact supply chain compromise.\r\nThere are also a large number of affected parties. Among those are tech company founders and CTOs; companies\r\nproviding software development services; developers working for non-profit organizations; tech leads in\r\ncompanies building gambling hardware and software and creating office development suites; developers in AI-first companies; security vendors — including a leading endpoint detection and response (EDR) vendor; student\r\ndevelopers; and others that rely on npm each day to build software.\r\nRL has contacted as many affected parties as possible, but the speed with at which the worm spread made it\r\nimpossible to reach everybody at disclosure time.\r\nWhile the exact origin of the Shai-hulud malware — and the actors responsible for the malware — have not been\r\nidentified, RL researchers note striking similarities with the Nx compromise that occurred at the end of August.\r\nWhile the malware used in the two attacks is different, the Nx attack and the Shai-hulud campaign use similar\r\ntechniques. Both attacks target popular open source packages with millions of weekly downloads. When deployed,\r\nhttps://www.reversinglabs.com/blog/shai-hulud-worm-npm\r\nPage 1 of 5\n\nboth malicious payloads focused on collecting environment- and other secret information from infected machines\r\nand leveraged user-owned GitHub accounts for data exfiltration.\r\nNow, we have a self-replicating worm spreading through the open source supply chain. While there is no way to\r\nknow what threat vector we might face next, it is clear that the attackers are using every tried and true technique\r\non the new frontier for defenders: the software supply chain.\r\nThe Shai-hulud worm itself is a 3MB+ behemoth of JavaScript. However, what it does is pretty straightforward.\r\nAfter an npm developer account is compromised, the worm looks for other packages the developer maintains. It\r\nthen creates a new version of each of those packages by injecting itself into them. Each newly created package is\r\nmodified with a postinstall action that will execute the malicious bundle.js when an unsuspecting user downloads\r\nthe compromised package. This is repeated in perpetuity as the worm finds new developers to infect, and then uses\r\nthem to spread even further.\r\nFigure 1: Postinstall script added to package.json file.\r\nTo speed-up the spread of the Shai-hulud malware, the threat actors behind it implemented worm-like\r\nfunctionality that automatically updates the packages published by compromised npm accounts with this same\r\nbundle.js file. To do that, a function named updatePackage adds a postinstall script to the package.json file that\r\nadds the bundle.js file to the package archive. \r\nFigure 2: Code responsible for adding malicious functionality to affected npm packages.\r\nWe have identified at least one package in which autospreading has occurred, so it can be confirmed that this\r\nspreading technique functions properly and probably explains the rapid growth in infected npm packages in the\r\nlast 24 hours. \r\nThe malicious bundle.js script is also designed to steal cloud service tokens, primarily targeting npm, GitHub,\r\nAWS and GCP tokens. However, the worm also installs TruffleHog, a popular open-source tool that can detect\r\nmore than 800 different types of secrets. This significantly increases its secret-stealing capabilities. \r\nFigure 3: Part of code showing which service tokens are targeted in the attack.\r\nThe collected secrets are then exfiltrated to newly created GitHub repositories using stolen GitHub access tokens.\r\nThe created repository has the name \"Shai-Hulud\" and description \"Shai-Hulud Repository.\" Exfiltrated data is\r\ndouble Base64-encoded and uploaded to a file named data.json in the newly created repository.\r\nThe compromised repositories can be tracked using a GitHub search for the repository description. Keep in mind\r\nthat search results show only the currently active repositories and we can confirm that there were more victims\r\nthat removed the exfiltration repositories from their GitHub accounts after becoming aware of the compromise.\r\nFigure 4: GitHub search showing the compromised user repositories.\r\nAnother method for GitHub token exfiltration is by creating a new branch named shai-hulud  in one of the\r\nexisting repositories. A workflow file named .github/workflows/shai-hulud-workflow.yml is uploaded to that\r\nbranch.\r\nhttps://www.reversinglabs.com/blog/shai-hulud-worm-npm\r\nPage 2 of 5\n\nFigure 5: Malicious GitHub workflow file designed to exfiltrate secrets.\r\nThe GitHub action has a runnable action triggering on the PUSH event that is designed to exfiltrate the tokens\r\naccessible from the workflow environment to the url hxxps://webhook.site/bb8ca5f6-4175-45d2-b042-\r\nfc9ebb8170b7. This data is also double Base64-encoded. Unfortunately, using GitHub search for branch names is\r\nnot supported, so it is a bit harder to track the victims using this information.\r\nAnother malicious functionality implemented by this malware is the “migration” of private repos belonging to the\r\ncompromised GitHub account to publicly accessible repositories. The worm tries to create a public copy of all\r\nprivate repositories belonging to the compromised user. This is likely an attempt to gain access to secrets\r\nhardcoded in those repositories, and possibly to steal the source code they contain. That stolen code can be\r\nanalyzed for vulnerabilities that can be used in later attacks on the software.\r\nThe newly created repositories get a suffix -migration to their original name, and have the description Shai-Hulud\r\nMigration. This information can again be used to search for and identify victims that have had private repos\r\nexposed using GitHub search. At the time of publication, that search yielded close to 700 results on GitHub,\r\ngiving an indication of the scope of the attack.\r\nFigure 6: GitHub search showing the “migrated” private repositories.\r\nThe first npm package for which RL has information about compromise is rxnt-authentication. The malicious\r\nversion of that package, 0.0.3, was published on September 14 at 17:58:50 UTC. As a result, the npm maintainer\r\ntechsupportrxnt can be considered Patient Zero for this campaign. \r\nThe exact nature of the initial compromise is not known. However, the past few days saw widespread attacks on\r\nopen source maintainers that resulted in compromises of leading open source code. Those attacks utilized phishing\r\nand social engineering to seize control of maintainers’ accounts and modify code. Victims of that campaign\r\nincluded the npm user Qix, a maintainer of some of the most used packages on npm (top 10) — debug and chalk.\r\nAccording to Wiz, Qix’s packages are present in 99% of cloud environments, and 10% of them used the malicious\r\nversion. RL identified more than 350 other open source packages — many with a lower profile than the Qix\r\npackages — that were infected with the same malware. \r\nWhile the sole nature of the malware used in that incident resulted in minimal impact, it showed how big the\r\nexposure surface is. A similar incident occurred in the last week of August, when the authors of another popular\r\npackage, called Nx, were compromised through a vulnerability in their GitHub actions code. Some security\r\nresearchers named this attack “s1ngularity” from the name of GitHub repositories used to exfiltrate stolen user\r\nsecrets. (More about this incident can be found in a recapitulation written by Wiz.) \r\nKey takeaways from the incident are that the packages were compromised by abusing vulnerable GitHub actions,\r\nwhile the malicious code was designed to steal user secrets and web service-tokens. In that attack, data exfiltration\r\nwas performed by creating new specifically named repositories from the compromised user accounts and private\r\nGitHub repositories were exposed. \r\nThe design and functional overlap of the Nx campaign with the Shai-hulud worm RL detected is significant. The\r\nonly remaining question for us is how patient 0 was compromised? While social engineering is a likely tool, the\r\nhttps://www.reversinglabs.com/blog/shai-hulud-worm-npm\r\nPage 3 of 5\n\nexploitation of vulnerable GitHub actions cannot be ruled out. \r\nWhat is even more concerning is the automated spreading of malware to the packages maintained by the\r\ncompromised npm accounts. Historically, malware worms like SoBig, WannaCry and NotPetya have spread by\r\ntargeting remotely exploitable vulnerabilities in software or — going even further back — by playing to human\r\nweaknesses to trick users into executing malicious code on their own systems. (See the “I Love You” and “Anna\r\nKornikova” viruses.) \r\nOpen-source platforms like npm present a new and promising environment for malware to propagate. And, when\r\nmalware spreads at the speed of continuous integration/continuous delivery (CI/CD) rather than human point-and-click, how far can it spread, and how quickly can it be stopped? Do we need a break-glass function, or a big red\r\nbutton that can temporarily halt all new package publication to platforms like npm? And, if so, who would be\r\ntasked with pressing it? Also, how quickly could they act?\r\nThe nature of this malware, designed to steal and collect access tokens and quickly reuse them, is making the\r\nShai-hulud outbreak even more important than the Qix developer account compromise that occurred last week.\r\nThis time around, there’s more at stake than a few stolen crypto-coins. With leading packages compromised —\r\nand untold numbers of developer secrets and proprietary code exposed — the keys to the kingdom have been\r\nleaked, and there’s no way of telling how they can and will  be misused by malicious actors.\r\nTo check if your organization is infected, or if your cloud accounts were compromised, review your public GitHub\r\naccount for suspicious activities like a sudden appearance of repositories you did not publish. Another tell-tale: If\r\nany of your repositories suddenly change visibility from private to public.\r\nIf you do not have a public GitHub account but are publishing packages on npm, check to see if there are any new\r\nversions of your packages that you haven’t authored but that have appeared on npm this week.\r\nYou can also check package versions for npm packages you are maintaining using RL’s free Spectra Assure\r\nCommunity website. The RL threat research team is diligently reviewing all published npm packages, and\r\napplying the analyst-vetted malware label to confirm that the package has been infected. Here’s is an example of\r\nwhat to look for:\r\nFigure 7: Spectra Assure Community website showcasing an analyst-vetted detection related to this\r\nincident.\r\nIndicators of Compromise (IoCs) refer to forensic artifacts or evidence related to a security breach or unauthorized\r\nactivity on a computer network or system. IOCs play a crucial role in cybersecurity investigations and incident\r\nresponse efforts, helping analysts and security professionals identify and detect potential security incidents.\r\nThe following IOCs were collected as part of RL’s investigation of this malicious software supply chain campaign.\r\nWhile crisis was averted with the recent Shai-hulud worm attack on npm, it proved that a self-propagating\r\nmalware can automate the compromise of open-source packages. Here's what you need to know about the historic\r\nShai-hulud malware outbreak.\r\nhttps://www.reversinglabs.com/blog/shai-hulud-worm-npm\r\nPage 4 of 5\n\nSource: https://www.reversinglabs.com/blog/shai-hulud-worm-npm\r\nhttps://www.reversinglabs.com/blog/shai-hulud-worm-npm\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.reversinglabs.com/blog/shai-hulud-worm-npm"
	],
	"report_names": [
		"shai-hulud-worm-npm"
	],
	"threat_actors": [],
	"ts_created_at": 1775434226,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77dc6aab4a779c5a3cba34f10b81e02a9397b397.pdf",
		"text": "https://archive.orkl.eu/77dc6aab4a779c5a3cba34f10b81e02a9397b397.txt",
		"img": "https://archive.orkl.eu/77dc6aab4a779c5a3cba34f10b81e02a9397b397.jpg"
	}
}