<\/p>\n
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/NPM-thumbnail.jpg\")
<\/div>\nOn September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography.<\/p>\n
According to StepSecurity, the malicious actors behind this incident used similar techniques<\/a> with the Nx supply chain attack<\/a> last month. As of September 16, researchers at Socket have already identified close to 500 impacted NPM packages<\/a>.<\/p>\n In this blog entry, Trend\u2122 Research details an overview of the recent NPM ecosystem compromises, what SOC teams need to know, and security recommendations to avoid this threat.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The malicious modifications were made to critical JavaScript libraries, including those supporting development frameworks and cryptographic functions. Packages impacted by this attack are those with extremely high global download rates \u2013 over 2.6 billion per week \u2013 affecting a vast ecosystem of web applications and dependent projects.<\/p>\n The attackers hijacked web APIs and manipulated network traffic as a means of covertly diverting funds from legitimate channels to wallets they controlled, targeting both organizations and end-users interacting with compromised packages.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n One of the payloads is a self-replicating worm, dubbed Shai-hulud after the sandworm in Dune, that was detected in the NPM registry. This worm spreads by compromising developer accounts and injecting harmful code into legitimate packages. Its primary capabilities include:<\/p>\n Based on Trend’s telemetry, attacks involving the Cryptohijacker payload have been reported across various countries, but primarily in North America and Europe. Organizations and developers that depend on widely adopted JavaScript libraries are among those most impacted. However, there have been no detections of the Shai-Hulud worm so far.<\/p>\n To safeguard their development workflows and sensitive assets from the risks stemming from the ongoing NPM supply chain attack, organizations should prioritize a proactive security stance through the following best practices: <\/p>\n Shai-hulud attack chain analysis<\/span><\/p>\n One of the payloads is a self-replicating worm, dubbed Shai-hulud after the sandworm in Dune, that was detected in the NPM registry. Trend Research provides analysis of Shai Hulud, its operational mechanics, and its implications for organizations relying on NPM.<\/p>\n Shai-Hulud stands out for its autonomous replication capability. Instead of a mere infection, Shai-Hulud introduces worm-like propagation, continuously seeking out and compromising additional packages and environments.<\/p>\n Attack chain<\/i><\/b><\/p>\n The Shai-Hulud attack chain began with a phishing email disguised as an NPM security alert, tricking a developer into revealing credentials (Figure 1). Attackers compromised the developer\u2019s NPM account and uploaded a malicious package. When installed, this package executed JavaScript and embedded Unix shell scripts to establish persistence and start stealing information.<\/p>\n Using stolen GitHub access tokens, the malware authenticated to the GitHub API, checked user permissions, and listed all repositories the victim could access \u2013 including private ones. It cloned private repositories to attacker accounts, created a new branch in each, and deployed a malicious workflow to automate data theft.<\/p>\n Next, the malware downloaded and installed TruffleHog to scan for and harvest more secrets from files. It made all stolen repositories public and mirrored their entire history. Sensitive data was then exfiltrated to the attacker using automated web requests.<\/p>\n This chain shows how a single compromised account can lead to the spread of malicious code, credential theft, and mass data leakage across an organization\u2019s entire development environment.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The widespread exposure of this threat means that hundreds of packages could have been compromised before initial detection, undermining organizations\u2019 trust in adopting open-source dependencies. The scalability of the attack, enabled by automation, significantly increases both technical and business risks, requiring minimal effort from the attacker once deployed. <\/p>\n What makes Shai-Hulud distinctive?<\/span><\/p>\n Traditional software supply chain threats typically involve single-use payloads or targeted credential theft. Shai-Hulud distinguishes itself through its ability to self-replicate within the NPM ecosystem, using available functionality in post-install scripts to establish secondary and tertiary infections. Once a compromised package is installed, the worm automatically attempts to spread to new targets, creating a multiplying threat that does not rely on human actor intervention after initial deployment.<\/p>\n Key traits:<\/b><\/p>\n Technical methodology<\/b><\/p>\n Risk to NPM and open source<\/b><\/p>\n The core strength and risk of NPM lies in its vast network of community-driven packages. Shai- Hulud’s self-replicating worm design specifically targets this community trust, highlighting how quickly a single malicious actor can impact a disproportionately large segment of developers and software projects.<\/p>\n Malicious workflow injection analysis<\/b><\/p>\n The Shai-Hulud worm utilizes an advanced technique by injecting malicious GitHub Actions workflows into targeted repositories, enabling automated propagation and secret exfiltration across an organization\u2019s development environment. The primary function of the injected workflow, as shown in Figure 2, is to systematically collect and exfiltrate repository secrets:<\/p>\n Shai-Hulud also leverages GitHub\u2019s REST API to automate its lateral movement and establish persistence (Figure 3). The worm checks the validity and permissions of available GitHub authentication tokens to confirm the ability to interact with the API.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n By issuing API requests such as For each eligible repository, the Shai-Hulud worm carries out:<\/p>\n GitHub repository cloning analysis<\/b><\/p>\n Shai-Hulud\u2019s attack chain features an automated process for cloning, migrating, and exposing private GitHub repositories from an organization to an attacker\u2019s infrastructure. The following section outlines the programmatic stages of this cloning activity.<\/p>\n The main orchestration logic coordinates the full cloning cycle \u2013 from initialization through repository creation and exposure (Figure 7).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The worm iterates through all identified private repositories within a target organization, utilizing internal logic to ensure each repository is analyzed and handled (Figure 8).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Initial checks confirm the presence and validity of required inputs \u2013 such as organization name, target username, and GitHub authentication token \u2013 to ensure both API compliance and workflow reliability (Figure 9).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n API interactions are abstracted behind a standardized communication wrapper, responsible for managing authentication (via bearer tokens or OAuth apps) and handling HTTP GET, POST, PUT, and PATCH methods for robust error handling (Figure 10).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The process targets only private or internal repositories to maximize stealth and impact. API pagination is implemented to enumerate all repositories within large organizations efficiently (Figure 11).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n For every discovered repository, the worm creates a corresponding destination repository in the attacker\u2019s account \u2013 embedding an identifier in the repository description such as \u201cShai-Hulud Migration\u201d for tracking (Figure 12).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Once created, what was a private repository in the victim\u2019s organization is made public under the attacker\u2019s control, facilitating mass data exposure and fingerprinting (Figure 13).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n To maximize the value of the theft, the worm performs a full mirror clone, capturing not just code contents but also the entire commit and branch history for later exploitation or secondary attacks (Figure 14).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Through these automated mechanisms, Shai-Hulud rapidly exfiltrates high-sensitivity intellectual property and source code from private repositories, weaponizing it for further data exposure, ransom, or downstream supply chain threats.<\/p>\n Credential harvesting via TruffleHog<\/b><\/p>\n As part of its post-compromise activities, Shai-Hulud leverages TruffleHog to further automate credential and secret discovery on compromised environments. The workflow begins by obtaining the latest release of the TruffleHog binary, programmatically retrieving the most recent version available for download (Figure 15).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Once the appropriate TruffleHog file is identified, the worm downloads the binary, automatically detecting and extracting the correct version based on the operating system present on the victim\u2019s machine (Figure 16).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n After extraction, TruffleHog is installed or placed into the environment, making it readily available for use by the malicious workflow (Figures 17 and 18).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The malware then spawns a child process, invoking TruffleHog to scan the local filesystem or target repository contents for high-entropy strings, keys, and other sensitive secrets. This process is conducted in-memory or within a runtime context to evade persistent detection. Once scanning is complete, the TruffleHog binary is deleted to cover tracks and minimize forensic artifacts.<\/p>\n By integrating TruffleHog in this automated fashion, Shai-Hulud markedly increases the volume and quality of exfiltrated secrets, while maintaining operational stealth throughout its attack lifecycle.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Trend Vision One\u2122 Threat Intelligence<\/span><\/p>\n To stay ahead of evolving threats, Trend customers can access Trend Vision One\u2122 Threat Insights<\/a> which provides the latest insights from Trend Research on emerging threats and threat actors.<\/p>\n Trend Vision One Search App<\/b><\/p>\n Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment. <\/p>\n Detection of Malware payloads<\/i><\/b><\/p>\n malName: (*CRYPTOHIJACK* OR *SHULUD*) AND eventName: MALWARE_DETECTION<\/span><\/i><\/p>\n More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled<\/a>. <\/p>\n The indicators of compromise for this entry can be found here<\/a><\/span>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n\n\nWhat types of packages are at risk<\/span><\/h2>\n
Attackers stole cryptocurrency assets<\/span><\/h2>\n
\n\nWhat the Shai-hulud worm does<\/span><\/h2>\n
\n
\n\nWho has been affected so far<\/span><\/h2>\n
Security recommendations<\/span><\/h2>\n
\n
\n\n\n\n\n
\n
Shai-Hulud analyis<\/span><\/h2>\n
Upon execution, Shai-Hulud prepares the following:<\/p>\n\n
\n
\n\n\n\n
\/user\/repos?affiliation=owner,collaborator,organization_member&since=2025-01-01T00:00:00Z&per_page=100<\/b>,
the worm identifies repositories where the compromised account has adequate privileges, filtering by owner, collaborator, or organization member roles and focusing on recent activity (Figure 4).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nTrend Vision One Threat Insights<\/span><\/h2>\n
Trend Vision One Intelligence Reports (IOC Sweeping) <\/span><\/h2>\n
Hunting Queries <\/span><\/h2>\n