How Shai-Hulud Highlights Risks in the NPM Software Supply Chain

Within one week, Shai-Hulud was downloaded more than two million times and spread across more than twenty malicious open-source packages. The NPM ecosystem once again faced a significant supply chain attack.

This incident followed earlier compromises involving the NX package and several other popular libraries. It was first reported by Daniel Pereira, who identified the compromised version in @ctrl/tinycolor@4.1.1. On the same day, JFrog’s malware scanner detected 164 unique malicious packages across 338 infected versions. FinTech companies such as cryptocurrency exchanges, banks and brokerage firms appeared to be the primary targets.

Some organizations that had already adopted automated governance tools such as JFrog Curation and Xray were able to block malicious packages before they entered their environment. This clearly showed the value of having package governance and supply chain security tools in place, especially solutions that can filter risks and detect threats in real time.

In software supply chain security, malicious packages and vulnerable packages represent two different types of risks.

• Malicious Packages

  
  

  • Definition: Packages created with the intention to harm users or systems.

  • Purpose: Unauthorized access, data theft or system manipulation.

  • Example: A package that looks legitimate but installs a backdoor or injects harmful behavior during installation.

• Vulnerable Packages

  
  

  • Definition: Packages with design or implementation flaws.

  • Purpose: Not intentionally harmful but can be exploited by attackers.

Understanding these differences helps organizations build more accurate defense strategies.

Open-source software is widely used, but its characteristics make it a frequent target for attackers. Key reasons include:

• Public source code that allows attackers to analyze weaknesses

• Complex dependency chains

• Fast development cycles with inconsistent quality

• Trust relationships within the OSS community

• Limited or inconsistent security review processes

In environments that rely heavily on OSS, adopting a zero-trust mindset and multi-layered defenses is essential.

On September 15, 2025, engineers discovered that the NPM registry was being targeted by a self-replicating malware similar to a worm. Unlike previous NPM attacks, this malware spread automatically by infecting additional packages.

Around two hundred compromised packages were identified, including popular ones such as @ctrl/tinycolor, as well as several repositories related to CrowdStrike.

The malware carried out the following actions:

1. Credential theft: Steals GitHub tokens, npm tokens, SSH keys, and cloud provider credentials.

   
   

2. Data exfiltration attempts: Attempts to send data out via methods such as writing to public GitHub repositories or sending through webhooks.

   
   

3. Publishing malicious versions: After obtaining a valid npm token, publishes a malicious version under the victim maintainer to allow the infection to propagate.

   
   

4. Persistence through GitHub Actions: Injects a malicious GitHub Actions workflow into accessible private repositories to maintain long-term persistence and exfiltration.

This attack is considered one of the first successful self-propagating worms within the NPM ecosystem.

The malware was often distributed as bundle.js, appearing to be a system optimization tool. In reality, it contained a data-stealing and self-propagation mechanism. Its behavior included:

• Collecting environment information: Collects system details, environment variables, and dependency lists.

  
  

• Credential inspection: Checks GitHub, npm, AWS, GCP, and Azure credentials.

  
  

• Searching for sensitive data: Uses tools like TruffleHog to automatically scan for leaked secrets and credentials.

  
  

• Data exfiltration: If sensitive information is found, it is Base64-encoded multiple times and uploaded to a public GitHub repository or sent through another channel.

  
  

• Publishing malicious versions: With a valid npm token, attempts to publish a malicious version of the victim package to spread the infection.

  
  

• Injecting persistence mechanisms: Adds malicious GitHub Actions workflows (such as shai-hulud-workflow.yml) into accessible repositories to maintain long-term infiltration and ongoing data collection.

Researchers observed at least eight variants in the wild, with small differences such as additional credential theft methods or changes in repository visibility.

If your system or build pipeline installed any infected packages, your credentials or environment may have been exposed. Recommended actions include:

1. Rotate All Related Credentials

   GitHub tokens, NPM tokens, cloud platform keys and other sensitive credentials.

   
   

2. Scan for Exposed Secrets

   Use tools like TruffleHog to check for leaked secrets and revoke any compromised ones.

   
   

3. Review Installation History

   Identify whether any infected versions were ever downloaded. Treat affected systems as high-risk.

   
   

4. Implement Supply Chain Security Controls

   Tools such as JFrog Curation can filter and block risky packages before they enter your internal environment.

Supply chain security should be integrated into the development and release process, not only used as a reactive measure.

There is currently not enough evidence to determine whether Shai-Hulud is related to the previous NX CLI attack. Although there are some similarities in tooling and payload design, attribution remains unclear.

Techniques such as GitHub data exfiltration and token abuse overlap with certain earlier incidents, so it is worth continuing to monitor developments.

A portion of the infected package list from the report is shown below for reference and risk awareness.

JFrog’s security research team continues to track newly discovered malicious packages, and organizations are encouraged to follow updates.

The report highlights three key strategies for mitigating attacks like Shai-Hulud:

1. Real-time governance: Block the download and use of malicious packages as they appear.

   
   

2. Comprehensive dependency scanning and management: Scan packages across development and production environments and provide timely risk alerts.

   
   

3. Cache control and management: Use Artifactory’s remote repository caching capabilities to control how external packages are fetched and cached.

Each JFrog solution plays a role:

• Curation

  • Filters packages before they enter the organization

  • Allows only versions that meet security policies

  • Enables policy-driven governance and compliance

    
    

• Xray

  • Provides real-time vulnerability and malware scanning

  • Analyzes deep dependency structures

  • Sends alerts for quick remediation

    
    

• Artifactory Remote Repositories

  • Controls caching and retrieval of external resources

  • Works together with Curation and Xray to ensure only safe components enter the environment

With these combined, organizations can secure the supply chain at the entry point.

The Shai-Hulud incident highlights several important points:

• It is one of the few known self-replicating malware attacks in the NPM ecosystem

• It combines credential theft and malicious package publication

• Real-time package governance is essential

• Enterprise-grade tools such as the JFrog platform provide effective protection

For DevOps and DevSecOps teams, this incident shows that reactive detection alone is not enough. Security controls and governance must be integrated into the package sourcing and dependency management process.

If you would like to learn how JFrog Curation and Xray can strengthen your software supply chain, feel free to contact the DevOps Tec. team. We can help you enhance supply chain security from the source!