HQ/EMEAFind out how we can help your business
In mid-September 2025 a novel self-replicating worm dubbed as Shai-Hulud began appearing in npm packages. The payload is a post-install data stealer that uses a secret-scanning tool (TruffleHog), exfiltrates harvested secrets to attacker-created GitHub repositories, injects malicious GitHub Actions to leak additional secrets, and critically attempts to reuse any recovered npm/GitHub tokens to publish malicious versions of packages it can access, producing a worm-like cascade across maintainers and packages. Hundreds of packages and dozens of GitHub accounts were impacted.
How the Supply-Chain Worm Works
The Shai-Hulud campaign follows a structured attack chain that demonstrates a deliberate and persistent supply-chain compromise. It begins with the publication of trojanized npm packages that contain a malicious payload embedded in install-time scripts such as bundle.js.
When developers or CI pipelines install these versions, the script executes, launching local reconnaissance and credential harvesting.
The malware leverages tools like TruffleHog to scan file systems, git histories, and environment variables for secrets including GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. Discovered tokens are not only collected but also validated through API calls to npm and GitHub, ensuring only live credentials are exfiltrated.
A notable persistence mechanism is the creation of a GitHub Actions workflow file (shai-hulud-workflow.yml or shai-hulud.yaml) written into .github/workflows. This workflow allows the attacker to maintain access beyond the initially compromised host, since future CI runs can trigger exfiltration automatically. Sensitive data, including validated tokens and cloud metadata, is then exfiltrated to attacker-controlled endpoints, sometimes committed as data.json into public repositories like those deliberately named “Shai-Hulud”. Even after malicious packages are removed from the npm registry, these workflows can continue to operate within compromised repositories, making the persistence particularly dangerous.
The campaign also exhibits worm-like propagation by using stolen npm or GitHub credentials to publish further malicious package versions, creating rapid cascades across maintainers and namespaces. This explains the bursts of compromised packages observed in the timeline, each tied to reused payload hashes.
In practice, this means the initial infection of a single developer machine or CI agent can quickly scale into a wide-reaching supply-chain event. The anatomy of the attack thus combines initial supply-chain compromise, local and service-level credential harvesting, persistence through GitHub Actions backdoors, and continuous exfiltration and propagation, reinforcing Shai-Hulud as one of the most impactful npm supply-chain attacks observed to date.
Campaign Timeline (As of 16th sept 2025)
| Date (UTC) | Time (UTC) | Event / Burst | Hash (SHA256) | Estimated Impact |
|---|---|---|---|---|
| Sep 14, 2025 | 17:58 | First observed compromise – initial batch: rxnt-authentication@0.0.3, json-rules-engine-simplified@0.2.1, react-jsonschema-form-conditionals@0.3.18, encounter-playground@0.0.2, rxnt-healthchecks-nestjs@1.0.2, rxnt-kue@1.0.4, react-complaint-image | de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 | ~7 packages |
| Sep 14, 2025 | 18:35 | Small burst | 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 | Few packages |
| Sep 14, 2025 | 20:29–20:45 | First large burst | 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e | 25+ packages |
| Sep 14, 2025 | 21:01–21:03 | Burst (~17 packages) | 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db | ~17 packages |
| Sep 15, 2025 | 01:12 | Burst (~10 packages) | 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db (reused) | ~10 packages |
| Sep 15, 2025 | 02:11 | New hash appears; reused across bursts at 04:58, 05:21, 07:43, 08:21, 08:58, 09:16, 10:41, 13:14, and next day 07:41 | dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c | >100 packages (esp. 09:16, 10:41) |
| Sep 15, 2025 | 15:35 | New hash active for rest of day; bursts at 19:52, 20:23, 22:35, 23:43 | 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 | >50 packages |
| Sep 16, 2025 | 01:14 | First batch of the day (CrowdStrike set) | b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 | ~100 packages (largest single burst) |
| Sep 16, 2025 | 02:32 | Additional burst (~20 packages) | b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 | ~20 packages |
| Sep 16, 2025 | 03:18 | Previous day’s hash returns, bursts at 03:18 (~20), 05:32 (~10), 06:17–07:11 (~60, many under @operato) | 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 | ~90 packages |
| Sep 16, 2025 | 07:41 | Earlier hash (Sep 15, 02:11) reappears | dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c | Handful of packages |
| Sep 16, 2025 | 10:57–11:09 | More @operato packages | 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 | ~20+ packages |
Compromised Packages and Versions:
Over 400 npm packages has been identified to be trojanized during this campaign. The attack surface continues to expand, and this list will be updated as new information emerges.
Indicators of Compromise:
- js SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
- Exfiltration endpoint: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
- de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
- 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
- 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
- 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
- dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
- 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
- b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777
Immediate Guidance
- Uninstall or downgrade any affected packages to known-good versions until patched releases are confirmed.
- Audit all environments (e.g., CI/CD pipelines, developer workstations) where compromised versions may have been installed, checking for unauthorized publishes or potential credential theft.
- Rotate npm tokens and other sensitive credentials if impacted packages were ever present on systems with publishing access.
- Review logs and monitoring systems for unusual activity, including unexpected npm publish actions or package modifications.
How iZOOlogic Can Help
iZOOlogic protects organizations from software supply chain threats by monitoring open-source ecosystems. Our team supports clients with remediation guidance, threat hunting, and incident response to minimize risk from credential theft and CI/CD compromises.
Disclaimer:The information provided in this article is based on publicly available open-source intelligence (OSINT). It is intended for educational and defensive cybersecurity purposes only.
