640 NPM Packages Hit by Destructive 'Shai-Hulud' Worm Attack

A new Shai-Hulud worm variant infects 640 NPM packages, targeting major platforms and threatening developer systems globally.

By Content Team

Nov 25, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A devastating supply chain attack has infected 640 NPM packages with the upgraded Shai-Hulud worm, targeting major platforms like AsyncAPI, PostHog, and Postman with over 130 million monthly downloads combined. The malware spreads through preinstall scripts, dramatically expanding its reach across developer machines and CI/CD pipelines.

Unlike the September version that infected 180 packages, this iteration is far more destructive. If it can't find GitHub or NPM tokens to steal, it wipes all user data on Windows systems and erases files on Unix machines. The worm also hijacks DNS, launches privileged Docker containers, and creates backdoors through GitHub Actions.

Security researchers warn they're seeing 1,000 new malicious packages published every 30 minutes, with over 25,000 infected repositories identified. Organizations should immediately scan for compromises, rotate all credentials, and strengthen pipeline security.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Iranian Hackers Breach US Airport, Bank, and Defense Contractor Networks

Mar 6, 2026

'Chilling' Hacking Network Targets Vulnerable Children for Abuse

Feb 7, 2026

Denmark Accuses Russia of Cyberattacks on Water Systems and Election Websites

Dec 21, 2025

AI Powers Cybercrime's New 'Fifth Wave' with $5 Deepfakes and Automated Phishing

Jan 20, 2026