Self-Replicating Malware Hits 180+ NPM Packages in Massive Supply Chain Attack

"Shai-Hulud worm hits over 180 NPM packages, compromising accounts and spreading secrets via GitHub. One of the worst JavaScript attacks ever."

By Content Team

Sep 18, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A devastating supply chain attack called Shai-Hulud infected over 180 NPM packages starting September 14, compromising 40+ developer accounts and publishing 700+ malicious versions. The self-replicating worm steals secrets, dumps them on public GitHub repositories, and spreads by hijacking NPM tokens to infect more packages.

High-profile targets included @ctrl/tinycolor (2 million weekly downloads) and CrowdStrike packages. The malware harvests GitHub, AWS, and Google Cloud credentials, then creates public repos labeled 'Shai-Hulud Migration' to expose stolen secrets.

Security firms call it one of the most severe JavaScript supply-chain attacks ever. The worm targets Linux and macOS systems while skipping Windows machines. Though many credentials were quickly revoked, dozens of GitHub tokens remain active, keeping the campaign alive.

Source: Security Week

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Microsoft Kicks Off 2026 With 112 Security Patches, Including Active Zero-Day Attack

Jan 14, 2026

Russian Hackers Exploit Microsoft Office Zero-Day in Eastern Europe Attacks

Feb 3, 2026

Hasbro Hit by Cyberattack, Affecting Peppa Pig and Transformers Operations

Apr 4, 2026

'PackageGate' Vulnerabilities Expose JavaScript Package Managers to Supply Chain Attacks

Jan 27, 2026