The recent "Shai-Hulud" worm targeting the NPM ecosystem is a stark reminder of how vulnerable our software supply chains can be. This self-replicating malware, named after the iconic sandworm from Dune, has compromised over 180 npm packages through a sophisticated supply chain attack. What makes it particularly dangerous is its worm-like propagation: Using stolen tokens, it automatically infects and republishes other packages under the maintainer's control, spreading exponentially across the ecosystem. The attack primarily affects Linux and macOS environments, and some variants even use tools like TruffleHog for deeper credential scanning while establishing persistence via malicious GitHub Actions workflows.
The Shai-Hulud malware works with a multistage attack. It starts with phishing campaigns that steal developer credentials, often targeting GitHub and npm tokens. It then injects malicious code into the postinstall scripts of npm packages. When a developer installs a compromised package, the script performs several actions.
This attack builds on earlier compromises like S1ngularity/Nx, where stolen GitHub tokens led to broader supply chain attacks. It’s one of the first successful self-propagating worms in the npm ecosystem, making it a serious threat.
Based on reports from multiple sources, over 180 unique packages have been affected, with many seeing multiple malicious versions published. Below is a partial list of known compromised packages and their reported malicious versions (click the chart to see the full list).
See the full list of compromised packages and their full versions here.
To mitigate risks from this attack and similar threats
At Black Duck, we’re here to help you secure your code. The Black Duck research team has created 187 Black Duck Security Advisories (BDSAs) that map to 214 affected components. If you need assistance auditing your dependencies, give us a shout. Let’s keep those sandworms at bay!
Jun 03, 2025 | 3 min read
May 08, 2025 | 3 min read
Jan 23, 2025 | 6 min read
Jan 06, 2025 | 6 min read
Dec 01, 2024 | 7 min read