Shai-Hulud Worm Infects Over 500 NPM Packages in Sophisticated Supply Chain Attack

A widespread and sophisticated supply chain attack is currently unfolding within the Node Package Manager (npm) ecosystem, with a self-replicating worm “Shai-Hulud” compromising more than 500 popular packages, including some maintained by cybersecurity firm CrowdStrike. This worm-like malware is designed to steal credentials, such as npm and GitHub tokens, as well as cloud service keys, from developers and then use those credentials to spread itself to other packages, creating a cascading effect throughout the software supply chain.

The attack, which appears to be linked to a previous compromise in late August, employs a legitimate secret-scanning tool to find sensitive information on infected developer machines. Once credentials are stolen, the malware exfiltrates them to publicly accessible GitHub repositories. The worm then uses any compromised npm tokens to publish new, malicious versions of other packages maintained by the infected developer, allowing it to propagate automatically and rapidly expand its reach. This autonomous replication marks a significant evolution in supply chain attack techniques.

The data targeted by the malware includes:

• Developer npm credentials
• API Keys
• Database passwords
• Private keys
• Other secrets stored in project environment files

Security researchers are actively investigating the full extent of the “Shai-Hulud” worm’s impact, urging developers to take immediate action. This includes revoking any potentially compromised credentials, auditing their projects for malicious dependencies, and removing any of the affected packages from their environments. The incident highlights the critical need for enhanced security measures and vigilance in the open-source software ecosystem, as the worm’s ability to spread without human intervention poses a severe and ongoing threat to developers and organizations worldwide.

Affected Packages:

@ahmedhfarag/[email protected]
@ahmedhfarag/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@art-ws/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@crowdstrike/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@ctrl/[email protected]
@hestjs/[email protected]
@hestjs/[email protected]
@hestjs/[email protected]
@hestjs/[email protected]
@hestjs/[email protected]
@hestjs/[email protected]
@hestjs/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nativescript-community/[email protected]
@nexe/[email protected]
@nexe/[email protected]
@nexe/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@nstudio/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@operato/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@teselagen/[email protected]
@thangved/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@things-factory/[email protected]
@tnf-dev/[email protected]
@tnf-dev/[email protected]
@tnf-dev/[email protected]
@tnf-dev/[email protected]
@tnf-dev/[email protected]
@ui-ux-gang/[email protected]
@yoobic/[email protected]
@yoobic/[email protected]
@yoobic/[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]