{
	"id": "2e9e99c6-e9c3-4cd3-8bf9-d4b4b2dbe9b4",
	"created_at": "2026-04-06T02:10:51.416895Z",
	"updated_at": "2026-04-10T03:20:36.093762Z",
	"deleted_at": null,
	"sha1_hash": "e341ae3a2fa394b3fe32cdb26471ee187c5eae75",
	"title": "Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63926,
	"plain_text": "Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz\r\nBy Atinderpal Singh\r\nPublished: 2025-09-19 · Archived: 2026-04-06 01:34:34 UTC\r\nZscaler Blog\r\nGet the latest Zscaler blog updates in your inbox\r\nIntroduction\r\nOn September 15th 2025, ReversingLabs (RL) researchers discovered a self-replicating worm called “Shai-Hulud” in the  npm open-source registry. The worm autonomously spreads through the  npm registry by hijacking\r\nmaintainer accounts and injecting malicious code into public and private packages. Over 200  npm packages and\r\nmore than 500 versions were compromised between September 14th and 18th. Each infected package helps the\r\nShai-Hulud worm spread further which creates a chain reaction across the  npm ecosystem.\r\nNamed after its repository, the Shai-Hulud worm targets sensitive data like tokens, keys, and private repositories.\r\nWhile end-user applications are less directly affected, build environments may have been exposed through leaked\r\ncredentials or code. RL has identified hundreds of compromised packages, including widely used ones like ngx-bootstrap, ng2-file-upload, and @ctrl/tinycolor, which have millions of weekly downloads. The interconnected\r\nnature of  npm packages makes it difficult to predict the worm’s impact.\r\nRecommendations\r\nUse private registry proxies and software composition analysis (SCA) tools to filter and monitor third-party\r\npackages. Remove compromised package versions, clear caches, and reinstall clean ones. Use private\r\npackage managers to block malicious versions.\r\nApply least privilege principles by using scoped, short-lived keys and tokens. Revoke npm tokens, GitHub\r\npersonal access tokens (PATs), cloud keys, and CI/CD secrets.\r\nFlag abnormal  npm publish events, GitHub workflow additions, or the unexpected use of secret scanners\r\nin CI processes. Hunt for indicators of compromise (IOCs) like bundle.js, workflows named shai-hulud-workflow.yml, or outbound traffic to webhook[.]site.\r\nUpdate response playbooks for supply chain attacks and conduct practice drills. Treat impacted systems as\r\ncompromised by isolating, scanning, or reimaging them.\r\nRestrict build environments to internal package managers or trusted mirrors, and limit internet access to\r\nreduce data exfiltration risks. Enable multifactor authentication (MFA) across all platforms,\r\nincluding  npm , GitHub, and cloud services.\r\nReinforce phishing awareness, and the secure handling of tokens and secrets with developer teams.\r\nAffected Versions\r\nhttps://www.zscaler.com/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\r\nPage 1 of 3\n\nNotable examples of compromised packages and their versions include: \r\n@ctrl/tinycolor - Versions 4.1.1 and 4.1.2\r\n@crowdstrike/* - Multiple versions of packages\r\nImpacted platforms\r\nAll major operating systems (OS), including Windows, Linux, and macOS, are affected and become vulnerable\r\nwhen compromised  npm packages are installed.\r\nVulnerability Details\r\nThe Shai-Hulud worm exploits compromised  npm packages by planting a malicious post-install script. When\r\nexecuted, the script executes several actions:\r\nUses TruffleHog to steal sensitive data, such as tokens, API keys, environment variables, and cloud\r\ncredentials.\r\nSends exfiltrated data to threat actor-controlled webhooks and GitHub repositories named Shai-Hulud.\r\nPublishes infected versions of all packages owned by the victim.\r\nInjects malicious workflows and converts private repositories to public access.\r\nThis combination of credential theft, package trojanization, and self-replication makes the Shai-Hulud worm\r\nuniquely dangerous.\r\nConclusion\r\nThe Shai-Hulud worm rapidly compromised hundreds of  npm packages and versions across Windows, Linux,\r\nand macOS, showing how quickly and widely vulnerabilities in open-source ecosystems can be exploited. By\r\ncombining credential theft, automated propagation, and repository tampering, the Shai-Hulud worm has set a\r\nprecedent for future supply chain attacks. To prevent similar incidents, organizations must act immediately by\r\nrevoking exposed credentials, strengthening supply chain defenses, and implementing enhanced monitoring to\r\ndetect and respond to potential threats.\r\nZscaler Coverage\r\nZscaler has enhanced its security measures to cover this threat, ensuring that any attempts to download a\r\nmalicious npm package will be detected under the following threat classifications:\r\nAdvanced Threat Protection\r\nJS/Shulud.A\r\nJS.Malicious.npmpackage\r\nAttempts to access the web service for data exfiltration will be identified and flagged under the following threat\r\nname:\r\nhttps://www.zscaler.com/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\r\nPage 2 of 3\n\nAdvanced Threat Protection\r\nJS.Worm.Shai-Hulud.LZ\r\nThank you for reading\r\nDisclaimer: This blog post has been created by Zscaler for informational purposes only and is provided \"as is\"\r\nwithout any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or\r\nomissions or for any actions taken based on the information provided. Any third-party websites or resources\r\nlinked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or\r\npractices. All content is subject to change without notice. By accessing this blog, you agree to these terms and\r\nacknowledge your sole responsibility to verify and use the information as appropriate for your needs.\r\nGet the latest Zscaler blog updates in your inbox\r\nBy submitting the form, you are agreeing to our privacy policy.\r\nSource: https://www.zscaler.com/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\r\nhttps://www.zscaler.com/blogs/security-research/mitigating-risks-shai-hulud-npm-worm\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/mitigating-risks-shai-hulud-npm-worm"
	],
	"report_names": [
		"mitigating-risks-shai-hulud-npm-worm"
	],
	"threat_actors": [],
	"ts_created_at": 1775441451,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e341ae3a2fa394b3fe32cdb26471ee187c5eae75.pdf",
		"text": "https://archive.orkl.eu/e341ae3a2fa394b3fe32cdb26471ee187c5eae75.txt",
		"img": "https://archive.orkl.eu/e341ae3a2fa394b3fe32cdb26471ee187c5eae75.jpg"
	}
}