Thursday, September 18, 2025
Latest:

Threatshub.org sponsored-Post

TrendMicro

What We Know About the NPM Supply Chain Attack

TH Author

Key takeaways

  • Attackers reportedly launched a targeted phishing campaign to compromise Node Package Manager (NPM) maintainer accounts and inject malicious code into widely used JavaScript packages.
  • Certain malicious packages covertly diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic.
  • One of the attack’s payloads is the Shai-hulud worm, which is delivered through compromised packages, steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts.
  • Based on Trend Micro’s telemetry, organizations across North America and Europe have been among the most affected by one of the payloads, Cryptohijacker. There have been no detections of the Shai-Hulud worm so far.
  • Trend Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and provides customers with tailored threat hunting queries, threat insights, and intelligence reports.

On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography.

According to StepSecurity, the malicious actors behind this incident used similar techniques with the Nx supply chain attack last month. As of September 16, researchers at Socket have already identified close to 500 impacted NPM packages.

In this blog entry, Trend™ Research details an overview of the recent NPM ecosystem compromises, what SOC teams need to know, and security recommendations to avoid this threat.

What types of packages are at risk

The malicious modifications were made to critical JavaScript libraries, including those supporting development frameworks and cryptographic functions. Packages impacted by this attack are those with extremely high global download rates – over 2.6 billion per week – affecting a vast ecosystem of web applications and dependent projects.

Attackers stole cryptocurrency assets

The attackers hijacked web APIs and manipulated network traffic as a means of covertly diverting funds from legitimate channels to wallets they controlled, targeting both organizations and end-users interacting with compromised packages.

What the Shai-hulud worm does

One of the payloads is a self-replicating worm, dubbed Shai-hulud after the sandworm in Dune, that was detected in the NPM registry. This worm spreads by compromising developer accounts and injecting harmful code into legitimate packages. Its primary capabilities include:

  • Stealing cloud service tokens (NPM, GitHub, AWS, GCP)
  • Installing Trufflehog, an open-source secret scanning tool, to search for exposed secrets
  • Auto-spreading to additional packages and accounts
  • Exposing private repositories

Who has been affected so far

Based on Trend’s telemetry, attacks involving the Cryptohijacker payload have been reported across various countries, but primarily in North America and Europe. Organizations and developers that depend on widely adopted JavaScript libraries are among those most impacted. However, there have been no detections of the Shai-Hulud worm so far.

Security recommendations

To safeguard their development workflows and sensitive assets from the risks stemming from the ongoing NPM supply chain attack, organizations should prioritize a proactive security stance through the following best practices: 

  • Audit dependencies, focusing on recently updated packages. Review all dependencies, especially those recently modified, and remove or roll back any that appear compromised.
  • Revoke and rotate credentials, especially for NPM accounts. Immediately revoke and replace any credentials or API keys that may have been exposed, prioritizing sensitive accounts.
  • Monitor for evidence of Trufflehog and similar scanning tools in use. Check logs for any anomalous repository scanning activity and proactively scan your own codebase for exposed secrets.
  • Stay updated with advisories from the official NPM registry and trusted sources. Regularly monitor official advisories to apply the latest fixes and recommended actions promptly.
  • Tighten access and security policies. For example, apply the principle of least privilege for all accounts impacting repositories and automation. In addition, enforce multi-factor authentication (MFA) on all developer and CI/CD access points.

Shai-hulud attack chain analysis

One of the payloads is a self-replicating worm, dubbed Shai-hulud after the sandworm in Dune, that was detected in the NPM registry.  Trend Research provides analysis of Shai Hulud, its operational mechanics, and its implications for organizations relying on NPM.

Shai-Hulud stands out for its autonomous replication capability. Instead of a mere infection, Shai-Hulud introduces worm-like propagation, continuously seeking out and compromising additional packages and environments.

Attack chain

The Shai-Hulud attack chain began with a phishing email disguised as an NPM security alert, tricking a developer into revealing credentials (Figure 1). Attackers compromised the developer’s NPM account and uploaded a malicious package. When installed, this package executed JavaScript and embedded Unix shell scripts to establish persistence and start stealing information.

Using stolen GitHub access tokens, the malware authenticated to the GitHub API, checked user permissions, and listed all repositories the victim could access – including private ones. It cloned private repositories to attacker accounts, created a new branch in each, and deployed a malicious workflow to automate data theft.

Next, the malware downloaded and installed TruffleHog to scan for and harvest more secrets from files. It made all stolen repositories public and mirrored their entire history. Sensitive data was then exfiltrated to the attacker using automated web requests.

This chain shows how a single compromised account can lead to the spread of malicious code, credential theft, and mass data leakage across an organization’s entire development environment.

The widespread exposure of this threat means that hundreds of packages could have been compromised before initial detection, undermining organizations’ trust in adopting open-source dependencies. The scalability of the attack, enabled by automation, significantly increases both technical and business risks, requiring minimal effort from the attacker once deployed. 

What makes Shai-Hulud distinctive?

Traditional software supply chain threats typically involve single-use payloads or targeted credential theft. Shai-Hulud distinguishes itself through its ability to self-replicate within the NPM ecosystem, using available functionality in post-install scripts to establish secondary and tertiary infections. Once a compromised package is installed, the worm automatically attempts to spread to new targets, creating a multiplying threat that does not rely on human actor intervention after initial deployment.

Key traits:

  • Self-propagation – Shai-Hulud behaves as a worm, automatically infecting additional NPM packages and projects by leveraging existing trust relationships in the open-source community.
  • Autonomy –  The malware runs without direct ongoing operator input, making it more persistent and difficult to contain.
  • Environmental impact – By embedding itself deeply within development and CI/CD environments, Shai-Hulud gains potential access to further credentials, tokens, and sensitive build secrets.

Technical methodology

  • Post-install abuse – The core propagation mechanism centers around malicious post-install scripts. When an infected package is deployed, arbitrary code executes, which may download further payloads or inject malicious scripts into other projects and dependencies.
  • Network activity – The worm can communicate with remote servers to exfiltrate data or receive updates, thus evolving even after initial deployment.
  • Recursive threat vector – Shai-Hulud is engineered for persistence—not just compromising a project once, but remaining a latent risk as dependencies update.

Risk to NPM and open source

The core strength and risk of NPM lies in its vast network of community-driven packages. Shai- Hulud’s self-replicating worm design specifically targets this community trust, highlighting how quickly a single malicious actor can impact a disproportionately large segment of developers and software projects.

Shai-Hulud analyis

Malicious workflow injection analysis

The Shai-Hulud worm utilizes an advanced technique by injecting malicious GitHub Actions workflows into targeted repositories, enabling automated propagation and secret exfiltration across an organization’s development environment.
Upon execution, Shai-Hulud prepares the following:

  • Assigns a branch name such as shai-hulud to maintain consistency and help track infections across repositories.
  • Targets .github/workflows/shai-hulud-workflow.yml for the placement of its malicious workflow file.
  • Generates or fetches a YAML workflow file containing the malicious automation payload.

The primary function of the injected workflow, as shown in Figure 2, is to systematically collect and exfiltrate repository secrets:

  • The workflow enumerates all secrets exposed during its CI/CD runtime environment.
  • It packages these secrets into a payload formatted for transmission.
  • Secrets are sent via HTTP(S) requests to attacker-controlled webhook endpoints.

Shai-Hulud also leverages GitHub’s REST API to automate its lateral movement and establish persistence (Figure 3). The worm checks the validity and permissions of available GitHub authentication tokens to confirm the ability to interact with the API.

By issuing API requests such as
/user/repos?affiliation=owner,collaborator,organization_member&since=2025-01-01T00:00:00Z&per_page=100,
the worm identifies repositories where the compromised account has adequate privileges, filtering by owner, collaborator, or organization member roles and focusing on recent activity (Figure 4).

For each eligible repository, the Shai-Hulud worm carries out:

  • Branch creation. It creates a uniquely named branch (e.g., shai-hulud) in the repository to house the injected workflow and isolate malicious changes (Figure 5).

GitHub repository cloning analysis

Shai-Hulud’s attack chain features an automated process for cloning, migrating, and exposing private GitHub repositories from an organization to an attacker’s infrastructure. The following section outlines the programmatic stages of this cloning activity.

The main orchestration logic coordinates the full cloning cycle – from initialization through repository creation and exposure (Figure 7).

The worm iterates through all identified private repositories within a target organization, utilizing internal logic to ensure each repository is analyzed and handled (Figure 8).

Initial checks confirm the presence and validity of required inputs – such as organization name, target username, and GitHub authentication token – to ensure both API compliance and workflow reliability (Figure 9).

API interactions are abstracted behind a standardized communication wrapper, responsible for managing authentication (via bearer tokens or OAuth apps) and handling HTTP GET, POST, PUT, and PATCH methods for robust error handling (Figure 10).

The process targets only private or internal repositories to maximize stealth and impact. API pagination is implemented to enumerate all repositories within large organizations efficiently (Figure 11).

For every discovered repository, the worm creates a corresponding destination repository in the attacker’s account – embedding an identifier in the repository description such as “Shai-Hulud Migration” for tracking (Figure 12).

Once created, what was a private repository in the victim’s organization is made public under the attacker’s control, facilitating mass data exposure and fingerprinting (Figure 13).

To maximize the value of the theft, the worm performs a full mirror clone, capturing not just code contents but also the entire commit and branch history for later exploitation or secondary attacks (Figure 14).

Through these automated mechanisms, Shai-Hulud rapidly exfiltrates high-sensitivity intellectual property and source code from private repositories, weaponizing it for further data exposure, ransom, or downstream supply chain threats.

Credential harvesting via TruffleHog

As part of its post-compromise activities, Shai-Hulud leverages TruffleHog to further automate credential and secret discovery on compromised environments. The workflow begins by obtaining the latest release of the TruffleHog binary, programmatically retrieving the most recent version available for download (Figure 15).

Once the appropriate TruffleHog file is identified, the worm downloads the binary, automatically detecting and extracting the correct version based on the operating system present on the victim’s machine (Figure 16).

After extraction, TruffleHog is installed or placed into the environment, making it readily available for use by the malicious workflow (Figures 17 and 18).

The malware then spawns a child process, invoking TruffleHog to scan the local filesystem or target repository contents for high-entropy strings, keys, and other sensitive secrets. This process is conducted in-memory or within a runtime context to evade persistent detection. Once scanning is complete, the TruffleHog binary is deleted to cover tracks and minimize forensic artifacts.

By integrating TruffleHog in this automated fashion, Shai-Hulud markedly increases the volume and quality of exfiltrated secrets, while maintaining operational stealth throughout its attack lifecycle.

Trend Vision One™ Threat Intelligence

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend Research on emerging threats and threat actors.

Trend Vision One Threat Insights

Trend Vision One Intelligence Reports (IOC Sweeping) 

Hunting Queries 

Trend Vision One Search App

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

Detection of Malware payloads

malName: (*CRYPTOHIJACK* OR *SHULUD*) AND eventName: MALWARE_DETECTION

More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled

The indicators of compromise for this entry can be found here

Read More HERE

You May Also Like

SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant Threat Analyst Threat Analyst Threats Analyst Threats Analyst Threat Analyst

TH Author

The Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques

TH Author

Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques

TH Author