The Shai Hulud npm Supply Chain Attack: A Self-Propagating Worm Compromises the JavaScript Ecosystem

On September 15, 2025, the npm ecosystem faced one of its most severe supply chain attacks to date. The "Shai Hulud" worm, believed to be named after the desert sandworms from Frank Herbert's Dune novels, represents the first successful self-propagating attack in the npm registry, compromising over 180 packages and demonstrating a new level of sophistication in supply chain threats.

What Happened?

The attack began when malicious versions of multiple popular npm packages were published, each containing a post-install script that automatically executed upon installation. On September 15, 2025, malicious versions of multiple popular packages were published to npm. They contained a post-install script that harvested sensitive data and exfiltrated it to attacker-created public GitHub repos named Shai-Hulud.

What makes Shai Hulud particularly dangerous is its worm-like behavior: when a compromised package encounters additional npm tokens in its environment, it will automatically publish malicious versions of any packages it can access, spreading across the npm ecosystem.

Technical Analysis

The Malicious Payload

The malware is delivered through a Webpack-bundled JavaScript file called bundle.js, weighing approximately 3.7 MB. The malicious code of infected packages is contained in the Webpack-minified script bundle.js, as large as 3.7 MB and automatically executed using an installation hook.

The payload masquerades as a system optimization tool, presenting itself with the following metadata: “name: System Info App”, “version: 1.0.0”, “description: Optimizes system.”.

However, instead of optimization, it performs comprehensive credential harvesting and system reconnaissance.

Credential Harvesting Techniques

Analysis of the malicious JavaScript file reveals sophisticated credential harvesting mechanisms targeting multiple platforms:

1. GitHub Token Extraction: The malware specifically searches for and validates GitHub personal access tokens with prefixes ghp_ and gho_, ensuring stolen tokens are active before use.

2. AWS Secrets Manager Access: The malware directly accesses AWS Secret Manager to extract all stored secrets, representing a significant escalation from simple environment variable harvesting.

3. Google Cloud Platform Compromise: Extracts GCP service account credentials and secrets, enabling cross-cloud attacks.

4. NPM Token Harvesting: Parses and validates NPM authentication tokens to enable package manipulation and supply chain attacks.

5. Environment Variable Extraction: The search for secrets on the developer system is done by dumping environment variables, which often contain API keys and other sensitive credentials.

6. TruffleHog Integration: More interestingly, it also downloads and runs Trufflehog, a well-known secret scanner, to search for credentials. The malware uses security tools to perform comprehensive filesystem scanning for additional secrets.

Data Exfiltration Methods

Based on analysis of the malicious JavaScript file, the malware compiles a comprehensive data package including:

• System Information: Platform detection and architecture details

• Complete Environment Variables: All process.env data which often contains API keys

• GitHub Tokens and User Data: Validated personal access tokens and associated account information

• AWS Secrets: All data extracted from AWS Secret Manager

• GCP Credentials: Google Cloud service account keys and secrets

• NPM Authentication Details: Validated NPM tokens for package manipulation

• Filesystem Scan Results: Output from TruffleHog secret scanning

The stolen data is exfiltrated through multiple channels:

1. GitHub Repository Creation: It creates a public repository named Shai-Hulud containing a dump of harvested secrets The repository contains a data.json file with double-base64 encoded stolen information.

2. Webhook Exfiltration: The malware attempts to send data to webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7. However, under the free plan used, the webhook can only receive a total of 100 callbacks. We observed that the webhook had been deactivated by the platform for excessive activity.

3. GitHub Actions Workflows: It pushes a new GitHub Actions workflow to all accessible repositories. This action exfiltrates each repo's secrets to https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7. In order to search for secrets on GitHub, it uses a GitHub personal access token (PAT) to enumerate repositories that meet certain criteria, and create a workflow file .github/workflows/shai-hulud-workflow.yml in each one of them in a new branch called shai-hulud.

Repository Migration Attack

Beyond credential theft, the malware performs aggressive repository manipulation: It migrates private organizational repositories to public personal repositories under the attacker-controlled user (private org/repo → public user/repo) with the description "Shai-Hulud Migration", and a -migration suffix added to the name.

GitHub Account Compromise

Analysis of the malicious code reveals extensive GitHub manipulation capabilities:

1. Repository Creation: Creates repositories named "Shai-Hulud" for backdoor access and data storage

2. Organization Enumeration: Lists all GitHub organizations the victim has access to, mapping the full scope of potential targets

3. Account Migration: Transfers user accounts and organization access to attacker-controlled systems

4. Token Validation: Verifies stolen GitHub tokens are valid and active before abuse

NPM Package Manipulation

The malware implements sophisticated supply chain attack mechanisms:

1. Package Takeover: Identifies all packages maintained by the compromised developer

2. Malicious Updates: Pushes backdoored versions of legitimate packages using valid maintainer credentials

3. Supply Chain Propagation: Uses legitimate maintainer access to distribute malware through trusted package updates

Cloud Infrastructure Attacks

The malware targets multiple cloud platforms simultaneously:

1. AWS Secret Manager: Directly extracts all stored secrets from AWS Secret Manager, not just environment variables

2. GCP Service Accounts: Steals Google Cloud service account keys and credentials

3. Cross-Cloud Persistence: Establishes access across multiple cloud providers for maximum impact

System Reconnaissance

Before credential theft, the malware performs comprehensive system profiling:

1. OS Detection: Identifies platform (Linux/Mac/Windows) and architecture for tailored attacks

2. Environment Profiling: Maps the complete development environment to understand the victim's infrastructure

3. TruffleHog Scanning: Uses legitimate security tools to find additional secrets throughout the filesystem

Worm Propagation Mechanism

The self-propagating nature of Shai Hulud is its most dangerous characteristic: The replication logic of the virus takes advantage of valid npm tokens present on the infected system in order to download other packages of the maintainer, add the malicious payload and upload a new compromised version to npm.

This automated propagation allows the malware to spread exponentially without direct attacker intervention, turning a single compromised developer into a vector for ecosystem-wide infection.

Attack Timeline and Impact

• September 14, 2025: The earliest package we found that contained the malicious payload is airpilot@0.8.8, published on 2025-09-14T18:35:07.600Z

• September 15, 2025: Mass publication of malicious package versions begins

• September 16-17, 2025: Security researchers identify the attack and begin tracking compromised packages

Scope of Compromise

Wiz Research initially observed 36 GitHub users with secrets exposed in the "Shai-Hulud" repo (data.json, double–base64 encoded) and 8 users whose private repositories were force-migrated to public with the label "Shai-Hulud Migration."

Tracking down repositories with the malicious workflow proved challenging, since GitHub doesn't index deleted branches, commits, or file contents. Still, we were able to uncover 64 additional repositories where a shai-hulud branch had been created, and in most of them, we found a commit containing the malicious workflow.

Notable affected packages included popular libraries such as:

• @ctrl/tinycolor (with over 8 million monthly downloads)

• Various packages from CrowdStrike's open-source projects

• Over 180 total packages across multiple maintainer accounts

Indicators of Compromise (IoCs)

File Hashes

The following SHA-256 hashes identify malicious bundle.js files:

• 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

• 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3

• dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c

File Indicators

• Presence of bundle.js in package root directory

• "postinstall": "node bundle.js" in package.json

• /tmp/processor.sh - Creates shai-hulud branch and uploads workflow payload

• /tmp/migrate-repos.sh - Migrates private repos to public

• .github/workflows/shai-hulud-workflow.yml files

Network Indicators

• Connections to webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

• Outbound requests to cloud metadata services (169.254.169.254)

Repository Indicators

• Public repositories named "Shai-Hulud"

• Repositories with "Shai-Hulud Migration" description and -migration suffix

• Branches named "shai-hulud"

Detection and Response

Immediate Actions

If this malware is detected in your environment, immediate steps include:

1. Package Removal: Remove malicious versions (rm -rf node_modules && npm cache clean --force)

2. Environment Cleanup: Treat any system that installed affected packages as fully compromised

3. Malicious Workflow Removal: Delete any .github/workflows/shai-hulud-workflow.yml files that may persist as artifacts

Critical Credential Rotation

Based on the malware's capabilities, immediately revoke and regenerate:

• All GitHub Personal Access Tokens: Both ghp_ and gho_ prefixed tokens

• NPM Authentication Tokens: All npm publishing credentials

• AWS Secret Manager Contents: Rotate all secrets stored in AWS Secret Manager

• GCP Service Account Keys: Regenerate all Google Cloud service account credentials

• Environment Variable Secrets: Any API keys or tokens stored in environment variables

• SSH Keys: Any SSH keys that may have been exposed through filesystem scanning

Cloud Infrastructure Audit

1. AWS Secret Manager Review: Audit all secrets for unauthorized access or modifications

2. GCP Service Account Activity: Review service account usage logs for anomalous activity

3. Cross-Cloud Access Logs: Check for unauthorized access across all cloud providers

Repository and Package Security

1. GitHub Organization Audit: Review all organizations for unauthorized access or repository creation

2. NPM Package Verification: Check all maintained packages for unauthorized updates or versions

3. Private Repository Review: Verify no private repositories were made public with "Shai-Hulud Migration" descriptions

Monitoring and Detection

Organizations should search for:

• GitHub repositories named "Shai-Hulud" in their organization

• Repositories with "Shai-Hulud Migration" description

• Malicious workflow files in .github/workflows/

• Anomalous npm publish events from maintainers

Connection to Previous Attacks

Wiz Research assesses this campaign is directly downstream of the late-August 2025 s1ngularity/Nx compromise (initial GitHub token theft to npm token theft to mass package poisoning).

This connection suggests a broader campaign of supply chain attacks targeting the JavaScript ecosystem, with attackers building upon previous compromises to achieve greater impact.

Significance and Lessons Learned

As the first successful self-propagating attack in the npm ecosystem, this appears to be one of the most severe JavaScript supply-chain attacks observed to date.

The Shai Hulud attack represents a significant evolution in supply chain threats:

1. Automated Propagation: The worm's ability to self-replicate without human intervention demonstrates a new level of sophistication

2. Multi-Vector Approach: Combining credential theft, repository manipulation, and persistent workflow implantation

3. Ecosystem-Wide Impact: The rapid spread across multiple maintainer accounts and hundreds of packages

4. AI Assistance: Another observation, one of the payloads appears to be AI-generated, another variant lacks that same stylistic pattern, suggesting it may have been copied from an external source

Conclusion

The Shai Hulud attack serves as a stark reminder of the vulnerabilities inherent in modern software supply chains. Its self-propagating nature and sophisticated credential harvesting techniques represent a new class of threats that organizations must prepare for.

As the npm ecosystem continues to recover from this attack, it's crucial for developers and organizations to:

• Implement robust dependency scanning and verification processes

• Maintain strict credential hygiene and regular rotation

• Monitor for suspicious package updates and workflow modifications

• Consider implementing software bill of materials (SBOM) tracking

The battle against supply chain attacks is far from over, and Shai Hulud has raised the stakes significantly for the entire JavaScript ecosystem.

—

This analysis is based on reports from security researchers at Wiz, Endor Labs, Semgrep, Checkmarx, Palo Alto Networks Unit 42, JFrog, and other cybersecurity firms who have been tracking this ongoing incident. Technical details about the malware's functionality are derived from analysis of the malicious JavaScript file (bundle.js) with SHA256 hash 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09. That was performed by our own internal DFIR team that was analyzed from a sample provided by vxunderground.