Supply chain attack

Blogs Security Advisory

Shai-Hulud NPM Supply Chain Attack Expands to 470+ Packages 

Summary: A large-scale malicious campaign, nicknamed the Shai-Hulud attack, has impacted the npm ecosystem with over 500 trojanized packages, including those packages maintained by CrowdStrike. The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. 

The JavaScript ecosystem is under a massive threat following a major supply chain attack. Hence, millions of crypto users and developers are now at risk. With more than a billion of these packages downloaded already, thousands of blockchain wallets and applications could be suffer varying exploits.

  • Malicious NPM updates spread malware that steals and replaces crypto addresses.
  • Developers encouraged developer to cease on-chain operation and inspect HD wallets thoroughly.

The attackers injected malicious scripts that

  • Run secret-scanning tools on developer systems, 
  • Steal GitHub, npm and cloud credentials, 
  • Insert persistent GitHub Actions workflows for long-term access, and 
  • Exfiltrate sensitive data to attacker-controlled endpoints. 

This attack is ongoing and all users of npm packages should take immediate steps to secure tokens, audit their environments and verify package integrity. 

Issue Details 

Initial discovery on September 14, 2025, when suspicious versions of @ctrl/tinycolor and ~40 other packages were flagged. By September 16, the attack had spread to include CrowdStrike-namespaced packages and dozens from @ctrl, @nativescript-community, rxnt, @operato, and others. 

Malware behavior 

  • Downloads and runs TruffleHog, a legitimate secret scanner. 
  • Harvests secrets from local machines and CI/CD agents (npm tokens, GitHub PATs, AWS/GCP cloud keys). 
  • Writes malicious workflows into .github/workflows (shai-hulud-workflow.yml). 
  • Continuously exfiltrates findings to a fixed webhook endpoint or pushes them into new GitHub repos under the victim’s account. 

Attack Flow 

Here are some popular packages with affected versions 

Package Version 
@ctrl/ngx-codemirror 7.0.1, 7.0.2 
@ctrl/tinycolor 4.1.1, 4.1.2 
@crowdstrike/foundry-js 0.19.1, 0.19.2 
@crowdstrike/logscale-dashboard 1.205.1, 1.205.2 
@nativescript-community/sqlite 3.5.2 – 3.5.5 
@nativescript-community/text 1.6.9 – 1.6.13 
@nstudio/nativescript-checkbox 2.0.6 – 2.0.9 
@nstudio/angular 20.0.4 – 20.0.6 
eslint-config-crowdstrike 11.0.2, 11.0.3 
remark-preset-lint-crowdstrike 4.0.1, 4.0.2 

Attack Indicators 

Malicious Workflow Filenames 

  • .github/workflows/shai-hulud-workflow.yml 
  • .github/workflows/shai-hulud.yaml 

Exfiltration Endpoint 

  • hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

Hashes of Malicious Payloads 

SHA-256 Hash Notes 
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 Large batch, Sept 15–16 
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 CrowdStrike-related packages burst (Sept 16) 
de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 First observed compromise (Sept 14) 
81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 Sept 14 small burst 
83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e ~25 packages, Sept 14 
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db Burst of ~17 packages, Sept 14–15 
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c Multiple reuse across Sept 15–16 

Recommendations

Organizations and developers using npm should take immediate actions: 

  1. Uninstall or downgrade 
    Pin dependencies to known-safe versions until patched releases are confirmed. 
  1. Rotate credentials 
    Immediately revoke and reissue: 
  • npm access tokens 
  • GitHub personal access tokens / org tokens 
  • Cloud credentials (AWS, GCP, Azure) 
  1. Audit systems 
  • Inspect developer machines and CI/CD build agents for signs of the malicious bundle.js. 
  • Check .github/workflows for unauthorized files named “shai-hulud-*”. 
  • Review repositories for suspicious commits or new repos labeled “Shai-Hulud Migration”. 
  1. Monitor and log 
  • Search event logs for unusual npm publish activity. 
  • Investigate GitHub Actions runs designed to exfiltrate secrets. 
  1. Harden pipelines 
  • Pin package versions and use integrity checks (e.g.- lockfiles, checksums). 
  • Limit exposure of sensitive tokens in build environments. 
  • Rotate all build-related secrets regularly. 

 
Conclusion 
This incident is significant compromises in the npm ecosystem, impacting hundreds of widely used packages across various namespaces.

The attackers’ tactics such as credential theft, manipulation of GitHub workflows, and widespread package propagation, highlighting the growing sophistication of modern supply chain attacks.

Developers and organizations are strongly advised to take immediate action by removing affected package versions, rotating any exposed secrets, auditing their build environments and strengthening CI/CD security. Continuous monitoring and rapid response are essential to reducing risk and maintaining trust in open-source software. 

The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions.

References

Events

Future of Maritime Innovation at
METS Trade 2024; Intrucept

Maritime industry worldwide is witnessing massive changes in terms of continuous innovation and managing cyber risk on top priority list. In doing so enabling innovation becomes easier along with exploring various options that approaches and addresses cyber security in the maritime sector.

Now maritime professionals are ready to explore the latest industry trends and adopt solutions that dig deeper into maritime organizations’ challenges and priorities related to cyber security.

Intrucept Participates at the METS Trade 2024

Intrucept, a leader in cybersecurity solutions is excited to announce participation at the prestigious METS Trade 2024 in Amsterdam, Date Nov 19-21(2024).

This marks a significant step forward in transforming the maritime industry by combining the power of cutting-edge cybersecurity solutions.

About Intrucept: Ensuring Maritime Security in a Digital Age

As digital threats evolve, Intrucept is at the forefront of cyber security, providing comprehensive protection for maritime operations. From vessel systems to operational networks, we ensure that your fleet stays secure, resilient, and ready for the challenges of tomorrow.

Our solutions are designed to protect against cyberattacks, safeguard sensitive data, and maintain the integrity of vessel operations, all while enhancing overall business efficiency.

Why We’re Joining Forces at METS Trade 2024

At METS Trade 2024, we’ll be showcasing our unique partnership and how combining advanced cybersecurity with innovative engineering can provide unparalleled protection and efficiency for the maritime industry. Together, we are shaping the future of shipping — where digital security and operational excellence go hand in hand.

What You Can Expect from Our Joint Presence at METS 2024

Innovative cybersecurity solutions for shipping operations: Protect your vessels, data, and systems from the growing cyber threat landscape.

State-of-the-art shipping engineering technologies: Learn how we can optimize vessel performance, enhance fuel efficiency, and ensure compliance with global maritime standards.

Collaborative insights: Our team will be on hand to discuss how we can work together to make your operations safer, smarter, and more sustainable.

We invite you to visit our booth at METS Trade 2024 to explore how our solutions can help future-proof your business, improve operational resilience, and safeguard your digital infrastructure.

Details:

Event: METS Trade 2024

Dates: November 19-21, 2024

Location: Amsterdam RAI, Amsterdam, Netherlands

We look forward to meeting you and discussing how we can drive innovation, security, and efficiency in your maritime operations.

Scroll to top