The Shai-Hulud npm malware attack: A wake-up call for supply chain security
Sep 18, 2025 | 2 min read
Subscribe
The recent "Shai-Hulud" worm targeting the NPM ecosystem is a stark reminder of how vulnerable our software supply chains can be. This self-replicating malware, named after the iconic sandworm from Dune, has compromised over 180 npm packages through a sophisticated supply chain attack. What makes it particularly dangerous is its worm-like propagation: Using stolen tokens, it automatically infects and republishes other packages under the maintainer's control, spreading exponentially across the ecosystem. The attack primarily affects Linux and macOS environments, and some variants even use tools like TruffleHog for deeper credential scanning while establishing persistence via malicious GitHub Actions workflows.
How the malware works
The Shai-Hulud malware works with a multistage attack. It starts with phishing campaigns that steal developer credentials, often targeting GitHub and npm tokens. It then injects malicious code into the postinstall scripts of npm packages. When a developer installs a compromised package, the script performs several actions.
- Credential harvesting: It scans the environment for sensitive data like GitHub PATs, npm tokens, SSH keys, and cloud provider keys (AWS, GCP, Azure). Some variants use tools like TruffleHog to hunt for secrets more aggressively.
- Data exfiltration: The stolen data is encoded (often double-base64) and dumped into a public GitHub repo named Shai-Hulud under a file like data.json. It also tries to send data to a webhook (e.g., webhook[.]site), though some of these have been shut down due to excessive activity.
- Worm propagation: If it finds valid npm tokens in the environment, it uses them to publish malicious versions of other packages the maintainer controls, creating a self-replicating cycle that spreads the infection across the npm ecosystem.
- Persistence: The malware pushes malicious GitHub Actions workflows (often named shai-hulud-workflow.yml) to accessible repositories. These workflows exfiltrate more secrets, and in some cases, convert private organizational repos to public ones under attacker-controlled accounts, tagged with “Shai-Hulud Migration” and a -migration suffix.
This attack builds on earlier compromises like S1ngularity/Nx, where stolen GitHub tokens led to broader supply chain attacks. It’s one of the first successful self-propagating worms in the npm ecosystem, making it a serious threat.
Impacted packages
Based on reports from multiple sources, over 180 unique packages have been affected, with many seeing multiple malicious versions published. Below is a partial list of known compromised packages and their reported malicious versions (click the chart to see the full list).
See the full list of compromised packages and their full versions here.
Advice for Dev and Security teams
To mitigate risks from this attack and similar threats
- Audit and update dependencies: Scan your projects for these packages using tools like npm audit or Black Duck® SCA, and pin to known-safe versions. Roll back immediately if compromised versions are detected.
- Rotate credentials: Assume exposure and rotate all potentially affected keys (GitHub, npm, cloud providers) without delay. Check GitHub for suspicious repos like "Shai-Hulud," branches like "shai-hulud," or workflows like "shai-hulud-workflow.yml."
- Strengthen security practices: Enforce multifactor authentication everywhere, limit token scopes, and monitor CI/CD pipelines for anomalies. Consider runtime security in your build environments to catch postinstall malice.
- Stay vigilant: This attack evolves from prior ones like S1ngularity/Nx, so integrate continuous supply chain monitoring to detect future waves early.
At Black Duck, we’re here to help you secure your code. The Black Duck research team has created 187 Black Duck Security Advisories (BDSAs) that map to 214 affected components. If you need assistance auditing your dependencies, give us a shout. Let’s keep those sandworms at bay!
Continue Reading
