Article illustration 1

A self-replicating software supply chain attack has compromised at least 187 npm packages, including modules published under CrowdStrike's namespace, in a coordinated campaign researchers dub 'Shai-Hulud'. The attack began on September 15th with the compromise of the @ctrl/tinycolor library—a dependency pulling over 2 million weekly downloads—before spreading like a worm through maintainers' accounts by automatically repackaging and republishing infected versions.

The Zero Hour: From Alert to Ecosystem Emergency

The breach was first flagged by backend engineer Daniel Pereira, who sounded alarms about live malware spreading through npm. "There is malware spreading live in npm as you read this," Pereira warned via LinkedIn, attempting to alert GitHub through private channels due to the sensitivity of exposed secrets.


alt="Article illustration 2"
loading="lazy">

Security firms Socket and Aikido rapidly expanded the investigation, identifying 187 compromised packages. StepSecurity provided technical analysis confirming the attack vector: > "The malware downloads each package by a maintainer, modifies its package.json, injects malicious scripts, repacks the archive, and republishes it—enabling automatic trojanization of downstream packages." ## Anatomy of a Self-Propagating Attack The payload (`bundle.js`) weaponizes **TruffleHog**—a legitimate secret-scanning tool—to hunt for credentials and API tokens. Once executed, it: 1. Scans hosts for cloud credentials and tokens 2. Validates stolen CI/CD credentials 3. Creates unauthorized GitHub Actions workflows (`shai-hulud.yaml`) 4. Exfiltrates data to attacker-controlled webhooks 
<img src="https://news.lavx.hu/api/uploads/worm-style-shai-hulud-attack-infects-187-npm-packages-in-self-propagating-supply-chain-assault_20250916_214008_image.jpg" 
     alt="Article illustration 3" 
     loading="lazy">
*The malware’s name derives from Frank Herbert's 'Dune' sandworms, reflecting its burrowing persistence across dependencies.*

High-Profile Fallout and Industry Response

CrowdStrike confirmed compromise of packages under its `crowdstrike-publisher` namespace, stating:

"We swiftly removed malicious npm packages and rotated keys... These packages are not used in the Falcon sensor."


Google also issued warnings about its Gemini CLI tool, noting that while its source code wasn't breached, users installing via npm during the attack window may be affected. This incident follows September's 's1ngularity' AI-powered GitHub attack (2,180 compromised accounts) and the chalk/debug npm phishing breach, highlighting an alarming pattern of supply chain targeting.

The Fragile Dependency Ecosystem

Three critical lessons emerge from Shai-Hulud:
1. Credential scope matters: Publishing tokens with overly broad permissions enabled lateral package infections
2. Tooling dual-use risk: Legitimate utilities like TruffleHog become attack vectors when hijacked
3. Response gaps persist: Pereira's struggle to alert GitHub underscores ecosystem-wide coordination challenges

Developers must immediately:
- Audit environment logs for suspicious webhook traffic
- Rotate ALL secrets and CI/CD tokens
- Pin dependencies to hash-verified versions
- Limit npm publishing token scopes

As supply chain attacks evolve toward automation and propagation, the industry’s dependency on shared repositories demands radical rethinking of trust boundaries—before the next worm burrows deeper.

Source: BleepingComputer, Socket, StepSecurity, and Aikido research