Shai-Hulud: The novel self-replicating worm infecting NPM packages
a day ago
- #npm
- #cybersecurity
- #malware
- Engineer discovered a supply chain attack on NPM repository on September 15, 2025.
- Novel self-propagating malware named Shai-Hulud used in the attack.
- Approximately 200 infected packages identified, including popular ones like @ctrl/tinycolor.
- Malware steals credentials, exfiltrates data, and attempts to spread to other NPM packages.
- Shai-Hulud also leaks data on GitHub by making private repositories public.
- Sysdig Threat Research Team (TRT) monitoring the worm's progress.
- Number of new compromised packages has slowed due to quick response.
- Malware executes during post-install phase of compromised NPM packages.
- Targets Linux and macOS machines, stealing GitHub, NPM, AWS, and GCP credentials.
- Creates public GitHub repositories with '-migration' suffix to leak data.
- Uses trufflehog binary to search for sensitive credentials.
- Detectable via Sysdig Secure and Falco with specific rules.
- Sysdig TRT suggests rolling back affected packages, rotating credentials, and monitoring GitHub activity.