Self-Propagating Malware Infects Over 180 npm Packages
Researchers have uncovered the compromise of more than 180 npm packages infected with self-propagating malware designed to spread to other packages. The campaign has been named Shai-Hulud, likely after the @ctrl/tinycolor package compromise—an npm package downloaded over 2 million times per week.
The name comes from the shai-hulud.yaml workflow files used by the malware, a reference to the giant sandworms from Frank Herbert’s Dune.
Discovery of the Attack
Developer Daniel Pereira was the first to sound the alarm, calling it a large-scale supply chain attack.
“Right now, as you read this, malware is spreading through npm,” Pereira warned, urging developers to avoid installing the latest versions of @ctrl/tinycolor.
Pereira initially attempted to alert GitHub’s security team privately, noting that multiple repositories were being targeted. But after struggling to get through, he went public with the disclosure.
Scope of the Compromise
Specialists at Socket and Aikido confirmed that at least 187 packages have been affected so far. Among the victims were several packages published by the npmjs account of CrowdStrike.
“Upon discovering several malicious packages in the public npm registry, we quickly removed them and proactively rotated our keys,” CrowdStrike said in a statement. “These packages are not used by Falcon, our platform was not impacted, and customers remain protected. We are working with npm and conducting a thorough investigation.”
A Worm in npm
Researchers at ReversingLabs described the campaign as “the first-of-its-kind self-replicating worm infecting npm packages and stealing cloud tokens.” They believe the infection began with a malicious version of the rxnt-authentication package, published on September 14, 2025.
According to their analysis, the techsupportrxnt account can be considered “patient zero.” How that account was compromised remains unclear, but possibilities include a phishing email or exploitation of a vulnerable GitHub Action.
Once injected, the malware spread automatically:
- Downloading each of a maintainer’s packages.
- Modifying package.json.
- Injecting a bundle.js script.
- Repackaging and republishing the archive.
This effectively trojanized downstream packages.
Abuse of Legitimate Tools
The bundle.js script abused TruffleHog, a legitimate secret-scanning tool, to search for API keys, tokens, and passwords.
“The script checks and applies developer and CI credentials, creates GitHub Actions workflows inside repositories, and sends the results to a hardcoded webhook,” explained Socket analysts, pointing to https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 as the exfiltration point.
The malware also attempted to clone all private repositories of a compromised user, append “migration” to their names, and expose them publicly. This enabled both source code theft and access to embedded secrets.
Possible Link to s1ngularity
Because of these similarities, Pereira suggested the Shai-Hulud campaign may be connected to the recent s1ngularity supply chain attack, which compromised data from 2,180 accounts and impacted 7,200 repositories.
Experts warn the full impact is still unclear:
“Given the large number of package interdependencies in the npm ecosystem, it is difficult to predict who will be compromised next and how far Shai-Hulud might spread,” ReversingLabs researchers reported. “We have currently identified hundreds of npm packages infected by this worm.”
