Researchers discovered that more than 180 npm packages had been compromised and infected with self-propagating malware aimed at infecting other packages. The campaign, dubbed Shai-Hulud, likely began with the compromise of the @ctrl/tinycolor package, which is downloaded over 2 million times per week.
The name Shai-Hulud was taken from the shai-hulud.yaml workflow files used by the malware. This is a reference to the giant sandworms from Frank Herbert’s Dune.
Developer Daniel Pereira was the first to draw attention to the issue, warning the community about a large-scale supply chain attack.
“Right now, as you read this, malware is spreading on npm,” Pereira reported, urging everyone to refrain from installing the latest versions of @ctrl/tinycolor.
The developer tried to get the attention of GitHub’s security team through private channels, since the attackers’ target was “numerous repositories,” and publicly disclosing information about the attack could have created additional risks. However, contacting GitHub proved too difficult, and Pereira made the issue public.
Specialists from Socket and Aikido are already investigating this incident and have so far found that the compromise affected at least 187 packages. Notably, the affected set includes several packages published by the cybersecurity company CrowdStrike’s npmjs account.
“After discovering several malicious packages in the public npm registry (a third-party open-source repository), we promptly removed them and, as a precaution, rotated our keys,” representatives of CrowdStrike said. “These packages are not used by Falcon; our platform was unaffected and customers remain protected. We are working with npm and conducting a thorough investigation.”
In turn, specialists at ReversingLabs describe this incident as “the first-of-its-kind self-replicating worm that infects npm packages and steals cloud tokens.” The researchers believe that the starting point of the attack was the rxnt-authentication package, a malicious version of which was published on npm on September 14, 2025.
According to ReversingLabs, the maintainer techsupportrxnt can be considered “patient zero.” And the key to uncovering the source of the attack is determining exactly how the techsupportrxnt account was compromised. It’s possible that it all started with a phishing email or the exploitation of a vulnerable GitHub Action.
Compromised versions of the packages include a mechanism that allows the malware to spread on its own, targeting other packages maintained by the affected maintainers.
The malware downloaded each maintainer’s package, modified its package.json, injected a bundle.js script, repackaged the archive, and published it again, thereby “ensuring the automatic trojanization of downstream packages,” as Socket researchers write.
The bundle.js script uses TruffleHog — a legitimate secret scanner intended for developers and security professionals. TruffleHog helps detect accidentally leaked sensitive information in repositories and other sources, such as API keys, passwords, and tokens. The malicious script abused the tool to search for tokens and cloud credentials.
“The script checks and applies developer and CI credentials, creates a GitHub Actions workflow inside repositories, and sends the results to a hardcoded webhook (https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7),” Socket analysts explain.
The worm also attempts to create a public copy of all private repositories of the compromised user to access hardcoded secrets and steal source code. The newly created repositories get the “migration” prefix in their names.
Because of this characteristic, Daniel Pereira suggests that this malicious campaign may be linked to another large-scale supply-chain attack — s1ngularity, which very recently led to the exposure of data from 2,180 accounts and affected 7,200 repositories.
“Given the large number of interdependencies among packages in the npm ecosystem, it is difficult to predict who will be compromised next and how far Shai-Hulud may spread. At present, we have identified hundreds of npm packages infected with this worm,” ReversingLabs experts report.