Shai-Hulud malware campaign dubbed 'the largest and most dangerous npm supply-chain compromise in history' — 'hundreds' of JavaScript packages affected

(Image credit: Curly_photo / Getty)

It's a bad time to be a JavaScript developer, after Koi Security revealed yesterday that it is tracking "the largest and most dangerous npm supply-chain compromise in history."

The security firm said the Shai-Hulud malware campaign "has now impacted hundreds of packages across multiple maintainers," including "popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike." (Emphasis theirs.) And the problem is probably going to get worse before it gets better, because the malware in question is a worm that autonomously spreads from package to package.

"Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation," Koi Security said in the blog post revealing this campaign. "This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement."

To be clear: This campaign is distinct from the incident that we covered on Sept. 9, which saw multiple npm packages with billions of weekly downloads compromised in a bid to steal cryptocurrency. The ecosystem is the same — attackers have clearly realized the GitHub-owned npm package registry for the Node.js ecosystem is a valuable target—but whoever's behind the Shai-Hulud campaign is after more than just some Bitcoin.

"The injected script performs credential harvesting and persistence operations," Koi Security said. "It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for [Amazon Web Services], [Google Cloud Platform], and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises."

That might be confusing to anyone who doesn't have to worry about developing and distributing Node.js software. But the long and short of it is that Shai-Hulud is using a well-known offensive security tool (TruffleHog) alongside developer tooling (GitHub Actions) in an environment that is designed specifically to help distribute software without much developer involvement (npm).

We suggested in our previous report that whoever compromised the npm packages to steal cryptocurrency did us a favor, because they could have used their access to those packages to accomplish far worse attacks. Now it seems that someone is looking to do just that — and it's hard to feign surprise when the Node.js ecosystem and the tooling built around it were practically built to enable widespread attacks like this.

Koi Security is updating its blog post with a list of npm packages known to have been compromised via the Shai-Hulud campaign. StepSecurity has also published indicators of compromise alongside a technical breakdown of how the malware spreads, what it does, and how organizations should respond if they discover that a compromised package has been used somewhere in their infrastructure.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!

TOPICS

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

9 Comments Comment from the forums

Ralston18

What, if anything, should end-users do to protect themselves and their systems against any related threats from the malware?

The last sentence sort of hints at that but for the most part not likely that helpful for most readers.

Very good to get some warning about such problems but the piece would be much stronger and more impactful, I think, if the piece included some offered guidance regarding what to do about the threat(s).

Some truly practical and meaningful "take-away" that readers could act upon.
Reply
bit_user

I'm surprised the blatant Dune reference seems to have been missed:

"The sandworms are reverently called Shai-Hulud by the planet's indigenous Fremen, who worship them as agents of God whose actions are a form of divine intervention."

https://en.wikipedia.org/wiki/Sandworm_(Dune)
Reply
Ralston18

That is interesting.

Guess we may need some thumpers....

🪱
Reply
bit_user

Ralston18 said:
Guess we may need some thumpers....

🪱
Well played!
: D
Reply
CrazyCarrot911

Luckily, there's Ai to fill the gap as I couldn't qualify if this is of importance for my daily workflow or not.

This is what ChatGPT says:

My Q: is the Shai-Hulud malware campaign dangerous for me as an average internet user ?

ChatGPT's Answer:

If you’re an average internet user (i.e. not an npm package maintainer or developer), here's how the Shai-Hulud malware campaign affects—or doesn’t affect—you:
🐛 What Is Shai-Hulud?
Shai-Hulud is a self-replicating worm targeting the npm (Node Package Manager) ecosystem. It infects JavaScript packages by stealing credentials, then auto-propagates to other packages maintained by the victim.(Unit 42)

It harvests secrets — like NPM tokens, GitHub PATs, AWS/GCP keys — and exposes them publicly via a GitHub repository named “Shai-Hulud.” It also injects malicious GitHub Actions workflows to exfiltrate data.(Unit 42)
🎯 Who Is At Risk?At Risk:
npm package developers or maintainers on macOS or Linux.

If they install a compromised package, the worm may execute and spread automatically.(Sysdig)

Organizations and dev teams using JavaScript/Javascript-based CI tools.

A compromised package could leak secret credentials or corrupt CI/CD pipelines.(Morphisec)
Not at Risk:
General internet users who do not develop or publish npm packages.

Simply browsing the web, installing apps, or using consumer software does not expose you to Shai-Hulud.
✅ Should You Worry?As an average user:
If you’re not a developer, the campaign poses no direct threat.

You won’t be exposed unless you intentionally install npm packages or run development tools on Linux or macOS.
If you are a developer or involved in building web apps:
You should take precautions:

Audit recently updated npm package versions — especially popular ones like @ctrl/tinycolor versions 4.1.1/4.1.2.(Truesec)

Rotate all credentials (npm tokens, GitHub PATs, cloud keys) on affected machines or build servers.(UpGuard)

Inspect your GitHub account for a public repo named “Shai-Hulud” — if present, delete it and assess what might have been exposed.(UpGuard)

Consider full system reinstall or reimaging if compromise is suspected.(OX Security)
🧾 SummaryScenarioAre You at Risk?What to DoYou are a typical web user (browsing, email, etc.)NoNone neededYou’re a developer working with npm packagesYes, possible riskAudit packages, rotate credentials, check GitHub repos🔒 Final ThoughtsShai-Hulud is a significant threat to the npm ecosystem and developers, representing a rare and dangerous self-replicating supply chain worm. It thrives on credential theft and automated propagation.(Morphisec)
However, if you're an average internet user not involved in npm development, you don’t need to worry—this attack doesn’t affect you.
If you are a developer or involved in software development, it's critical to follow mitigation steps now.
Bottom line: Unless you're building or publishing JavaScript code via npm (on macOS or Linux), Shai-Hulud is not a danger to you as an ordinary internet user. Let me know if you want guidance on secure development practices or credential protection!
Reply
USAFRet

CrazyCarrot911 said:
Luckily, there's Ai to fill the gap as I couldn't qualify if this is of importance for my daily workflow or not.

This is what ChatGPT says:
Why would you do this?

Me, asking ChatGPT 5 minutes after you, gives a reasonably different "answer".
Mostly, that the typical 'user' is not affected, as your answer does, but a LOT of difference in the details.

Q: is the Shai-Hulud malware campaign dangerous for me as an average internet user ?

The Shai-Hulud malware campaign is not something that would typically target the average internet user directly. However, it is still a significant threat, particularly if you engage in high-risk online activities or are involved in specific sectors like finance, government, or tech industries. Here's a breakdown:

What is the Shai-Hulud Malware Campaign?
The Shai-Hulud campaign refers to a type of cyberattack involving a sophisticated malware strain. The name comes from the "Shai-Hulud" term used in Dune (the giant sandworms), possibly alluding to the stealthy and hard-to-detect nature of the attack.

This campaign typically targets specific sectors (e.g., government, financial institutions, critical infrastructure) and utilizes advanced techniques to steal sensitive data, deploy ransomware, or maintain long-term access to a network.

Is it Dangerous for an Average User?
For the average internet user, it's not likely that you would be directly targeted by Shai-Hulud unless you meet specific conditions like:

Visiting compromised websites (e.g., sites related to finance or government).
Falling for phishing emails that appear legitimate.
Infected software or downloads that seem benign but contain the malware.
Here’s why it might still be a risk for you:

Indirect effects: Even if you aren't directly targeted, large-scale campaigns like this can spread malware through common platforms, making it easier for you to get infected.
Ransomware: Shai-Hulud and similar campaigns sometimes evolve to spread ransomware, which can lock up your data or cause major disruptions.
What Should You Do?
Update Software Regularly: Ensure your operating system, browser, and software are all up-to-date to protect against vulnerabilities.
Use Anti-Malware Software: A reliable anti-malware program will help detect and block this type of threat.
Avoid Clicking on Suspicious Links: Don’t click on links in unsolicited emails or messages, even if they seem to come from legitimate sources.
Back Up Your Data: Always have backups in case of ransomware attacks.
Conclusion
For most regular users, the risk from Shai-Hulud specifically might be low, but it's still a good idea to stay vigilant with cybersecurity practices. Malware campaigns evolve, and while you may not be a direct target, the environment can always change.

Have you noticed any odd activity on your devices or accounts recently? That might help us get a better sense of your current risk level.

Reply
bit_user

CrazyCarrot911 said:
Luckily, there's Ai to fill the gap as I couldn't qualify if this is of importance for my daily workflow or not.

This is what ChatGPT says:
I appreciate the sentiment, but I honestly don't trust its answers and therefore don't regard it as the kind of authoritative source that you seem to. I'll stick to seeking advice from security professionals with a solid track record, thank you.

In general, the style I follow is to excerpt a few key points or quotes and then link to the source. I guess that's another problem (i.e. inability to simply link to the conversation... or can you?) with citing Chat GPT.
Reply
Notton

IDK, my first guess is uninstall JAVA and you'll probably be safe.
Reply
bit_user

Notton said:
IDK, my first guess is uninstall JAVA and you'll probably be safe.
I assume you're making a joke?

If not, then no - this uses JavaScript (also sometimes called ECMAScript), which has nothing in common with Java beyond the name, being C-derived languages, and originating as "web" technologies.

The article links to some advice for developers using npm to check if they've been affected:
https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
I really don't know anything about npm, with this being my first time hearing the term. You can read about them, here:
https://www.npmjs.com/about
My sense about this is that it spreads via development workflows.
Reply

Show more comments