Self-Replicating Worm Compromises Hundreds of NPM Packages, Including CrowdStrike’s
A self-replicating worm known as ‘Shai-Hulud’ has infected hundreds of npm packages, including those maintained by CrowdStrike. The malware embeds a trojanized script to steal developer credentials and access sensitive data, marking one of the most dangerous supply chain attacks to date.
According to reports from Koi Security, the Shai-Hulud malware campaign has impacted hundreds of npm packages across multiple maintainers, including popular libraries like @ctrl/tinycolor and some packages maintained by CrowdStrike. The malicious versions embed a trojanized script (bundle.js) that is designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows.
Attackers published malicious versions of @ctrl/tinycolor and other npm packages, injecting a large obfuscated script (bundle.js) that executes automatically during installation. This payload repackages and republishes maintainer projects, enabling the malware to spread laterally across related packages without direct developer involvement. As a result, the compromise quickly scaled beyond its initial entry point, impacting not only widely used open-source libraries but also CrowdStrike’s npm packages.
The injected script performs credential harvesting and persistence operations. It runs TruffleHog to scan local filesystems and repositories for secrets, including npm tokens, GitHub credentials, and cloud access keys for AWS, GCP, and Azure. It also writes a hidden GitHub Actions workflow file (.github/workflows/shai-hulud-workflow.yml) that exfiltrates secrets during CI/CD runs, ensuring long-term access even after the initial infection. This dual focus on endpoint secret theft and backdoors makes Shai-Hulud one of the most dangerous campaigns ever compared to previous compromises.
According to a Tuesday blog post from security systems provider Sysdig, the malicious code also attempts to leak data on GitHub by making private repositories public. The Sysdig Threat Research Team (TRT) has been monitoring this worm’s progress since its discovery. Due to quick response times, the number of new packages being compromised has slowed considerably. No new packages have been seen in several hours at the time…
Their blog post concludes ‘Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity.’