CERT-In Advisory
CIAD-2025-0034
Supply Chain Attack Targeting npm Ecosystem (Shai-Hulud Worm)
Original Issue Date: September 25, 2025
Severity Rating: High
Description
It has been observed that an active and widespread software supply chain attack is targeting the Node Package Manager (npm) ecosystem. The npm ecosystem comprises the complete network of software packages, developers, tools, and services that support the Node.js and JavaScript development community, centered around the npm Registry and its official command-line interface (CLI) tool, npmjs.com. As part of this campaign, a self-replicating worm-publicly known as "Shai-Hulud"-has compromised more than 500 software packages. This attack has the potential to impact start-ups, IT/ITES companies, fintech platforms, and e-Governance applications that rely on npm-based software, resulting in exposure of credentials, unauthorized code execution, and further supply chain compromise.
This campaign combines supply chain compromise with automated propagation, creating cascading impact at scale. It began with credential-harvesting phishing emails spoofing npm that prompted developers to "update" MFA settings. After initial access, the actor deployed malware to harvest credentials and a worm-like payload that triggered a multi-stage spread across packages.
In this campaign, malicious package versions contain a worm that executes a post-installation ("postinstall") script. The malware scans the environment for sensitive credentials, including:
- .npmrc files (for npm tokens)
- Environment variables and configuration files specifically targeting GitHub Personal Access Tokens (PATs) and API keys for cloud services like:
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
The malware used in this campaign performs the following actions:
- Exfiltrates the harvested credentials to an endpoint controlled by the actor.
- Uploads the credentials to a public repository named “Shai-Hulud” via the GitHub/user/repos API.
- Authenticates to the npm registry using compromised developer credentials and injects malicious code into other packages.
- Publishes tainted versions automatically, enabling rapid, self-propagating spread without direct actor intervention.
- Attempts to establish persistence by creating a malicious GitHub Actions workflow file.
Recommendations
- Conduct a dependency review of all software leveraging the npm package ecosystem.
- Check package-lock.json or yarn.lock files to identify affected packages, including nested dependencies.
- Search for cached versions of affected dependencies in artifact repositories and dependency management tools.
- Rotate all developer credentials.
- Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm.
- Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets.
- Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates.
- Monitor for anomalous network behavior and firewall logs for suspicious domains.
- Block outbound connections to webhook.site domains.
- Inspect organizational GitHub accounts for signs of compromise such as unauthorized repositories named "Shai-Hulud," suspicious commits, or the presence of malicious workflow files (e.g., .github/workflows/shai-hulud-workflow.yml).
- Review all repositories for unexpected branches named "shai-hulud" that may have been created without developer authorization.
- Note that npm and GitHub have removed malicious versions and announced upcoming mandatory 2FA and trusted publishing. Align internal practices with these ecosystem changes.
References
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|