Shai-Hulud Worm and Related Malicious NPM Package Attacks Targeting Software Supply Chains
A large-scale supply chain attack has targeted the Node Package Manager (NPM) ecosystem, compromising hundreds of widely used JavaScript packages and threatening the security of software development pipelines globally. In mid-September, cybersecurity researchers identified a self-propagating malware dubbed "Shai-Hulud," which was distributed through trojanized NPM packages, including some with millions of weekly downloads and high-profile packages such as those from CrowdStrike. The attack leveraged a malicious "bundle.js" script that downloaded and executed TruffleHog, a legitimate credential scanner, to harvest developer and CI/CD tokens, cloud service credentials, and environment variables from compromised systems. The stolen credentials were exfiltrated via hard-coded webhooks and GitHub Actions workflows, enabling the attacker to further propagate the malware and gain unauthorized access to sensitive resources. The campaign affected both Windows and Linux systems, increasing its reach and impact across diverse development environments.
Sysdig reported that the attack on September 15 involved approximately 200 compromised packages, including @ctrl/tinycolor, and was linked to an attacker who had previously targeted Nx packages in late August. The worm not only stole secrets but also published them publicly on GitHub and attempted to make victim repositories public, amplifying the risk of further compromise. Earlier in the month, other popular packages such as chalk, debug, and duck were also compromised following a successful spear phishing attack against a maintainer, with the attacker seeking to redirect cryptocurrency payments. NPM responded by removing the malicious package versions, but users were required to update or revert to secure versions to mitigate the risk. Sysdig provided same-day threat intelligence and detection capabilities to its customers, including open source Falco rules to identify and respond to the threat.
The attack demonstrated the vulnerability of even the most trusted and widely used open source packages, highlighting the importance of continuous monitoring and rapid response in the software supply chain. Security researchers and vendors emphasized the need for organizations to scan their environments for known malicious packages, such as dist.fezbox.cjs, and to review logs for signs of credential exfiltration. The incident underscored the evolving tactics of threat actors targeting developer ecosystems, using advanced techniques to automate propagation and maximize impact. Organizations relying on NPM packages and CI/CD pipelines were urged to remain vigilant, update dependencies promptly, and leverage threat intelligence resources to defend against similar attacks. The Shai-Hulud campaign remains an evolving threat, with ongoing analysis and mitigation efforts by the security community. This incident serves as a stark reminder that popularity and trust in open source packages do not guarantee safety, and proactive security measures are essential to protect software supply chains from compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Trend Micro reports weaponized AI assistants tied to credential theft
Trend Micro published research on weaponized AI assistants being used in support of credential theft activity, marking a distinct development from the npm package campaign. The report indicates attackers were leveraging AI-themed tooling or lures as part of malicious operations.
Sysdig highlights the malicious npm package attack in October briefing
Sysdig included the malicious npm package campaign as a notable security development in its October 2025 security briefing, reinforcing that the activity had become a significant industry-reported threat. This appears to be coverage of the same campaign rather than a separate incident.
Researchers report a massive malicious npm package campaign
Security researchers disclosed a large-scale software supply chain attack involving malicious packages published to the npm ecosystem. The campaign was described as threatening downstream developers and organizations that could unknowingly install the tainted packages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Weaponized AI Assistants & Credential Thieves
trendmicro.com
Open sourceMassive Malicious NPM Package Attack Threatens Software Supply Chains
recordedfuture.com
Open sourceSysdig Security Briefing: October 2025
sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026
Supply Chain Attacks and Remote Access Trojans Targeting NPM Ecosystem and Banking Sector
A series of sophisticated supply chain attacks have targeted the NPM ecosystem, compromising both widely used and niche packages to deliver malicious payloads. The "Shai-Hulud" campaign has infected at least 187 NPM packages, including the highly popular tinycolor package, which receives approximately 2 million downloads weekly. Attackers in this campaign modify package manifests, inject malicious files, and republish the compromised packages, resulting in downstream projects unknowingly incorporating malicious code. The worm-like nature of the attack allows it to spread rapidly to other maintainers' packages, amplifying the impact across the software supply chain. Delayed detection of these compromises increases the risk, as many projects may already be affected before the breach is discovered. The attack highlights the critical importance of verifying package signatures and maintaining a robust software bill of materials (SBOM) to trace dependencies and versions accurately. In a related but distinct campaign, a threat actor using the NPM account "ongtrieuhau861.001" has published at least 94 malicious packages, many of which are specifically crafted to target Asian banks. These packages, often named with the pattern "dhhdbankxxxxx" and similar variants, deliver a JavaScript-based Remote Access Trojan (RAT) dubbed "DHSollutionsBot." This RAT leverages Firebase Realtime Database for command and control, while exfiltrating stolen data through Discord webhooks, making detection more challenging due to the use of legitimate cloud services. The threat actor's NPM account history suggests either a long-term operation or the acquisition of an existing account for malicious purposes. The attack architecture is notable for its simplicity and effectiveness, combining two legitimate platforms for resilient and stealthy C2 operations. Both campaigns underscore the growing threat of supply chain attacks in the open-source ecosystem, where a single compromised package can have cascading effects on countless downstream projects. Developers and organizations are urged to implement cryptographic signing of packages, verify signatures before use, and maintain detailed SBOMs to mitigate the risk of such attacks. The incidents also demonstrate the need for continuous monitoring of package repositories and automated detection tools to identify and respond to malicious activity promptly. The use of trusted platforms like Discord and Firebase for C2 communications further complicates detection and response efforts. These attacks serve as a stark reminder that even well-established codebases can become vectors for compromise if their dependencies are not rigorously vetted and monitored. The campaigns have prompted renewed calls for improved security practices in the software development lifecycle, particularly in the management of third-party dependencies. Organizations are advised to review their exposure to affected NPM packages and take immediate remediation steps where necessary. The incidents highlight the evolving tactics of threat actors in targeting the software supply chain and the critical need for industry-wide vigilance.
Mar 21, 2026
Self-Spreading Shai-Hulud Malware Compromises 180+ npm Packages
A large-scale npm supply-chain attack dubbed **Shai-Hulud** compromised more than 180 packages, with reports placing the total at **187 affected packages** and describing it as one of the most severe npm ecosystem breaches to date. Researchers said the malware was **self-spreading**, allowing it to propagate from one compromised package to others, dramatically expanding the blast radius beyond the initially identified set of roughly 40 packages. The campaign affected widely used JavaScript dependencies and raised concern that malicious code could be pulled into downstream builds and production environments through routine package installation and update workflows. Reporting linked the incident to high-profile package ecosystems and said the fallout touched organizations and projects including **CrowdStrike** and the popular color library **tinycolor**, underscoring the risk to both enterprise software pipelines and open-source consumers. Security coverage described the operation as a major software supply-chain compromise in which trusted packages were altered and then redistributed through npm, creating a path for malware to spread through developer environments and CI/CD systems. The incident prompted urgent calls for maintainers and defenders to identify affected dependencies, review package provenance, and rotate credentials or rebuild environments where compromised packages may have executed.
May 25, 2026