A new malware campaign called Shai-Hulud is causing serious trouble for npm users. Security researchers have confirmed that this malware spreads like a worm inside the JavaScript ecosystem. It takes over developer accounts and injects malicious code into popular packages. Because of its scale, it is being seen as one of the biggest recent supply-chain attacks.
The first warnings appeared in September 2025 when experts detected major tampering in npm packages. Attackers had secretly inserted harmful scripts inside trusted and widely used packages. These infected versions were then published using verified developer accounts. This exposed how easily the open-source ecosystem could be misused.
In the newest wave, often called Shai-Hulud 2.0, the attack has grown much wider. Security teams found that more than 25,000 GitHub repositories had been touched. Almost 700 npm packages have been identified as compromised or suspicious so far. The worm is spreading faster now due to heavy automation.
The attack usually begins when the attacker steals a developer’s npm or GitHub token. This is often done through phishing or leaked credentials. Once they gain access, the attackers upload a modified version of a legitimate package. When someone installs it, the malicious code runs silently in the background.
After the package executes, the malware starts collecting sensitive information like tokens, secrets and cloud keys. It has been seen stealing GitHub, AWS and GCP credentials from machines and CI/CD pipelines. These stolen credentials are then used to break into more repositories. This creates a chain reaction and helps the worm expand quickly.
Investigators also found cases where Shai-Hulud secretly added hidden GitHub workflows to infected repositories. These workflows allow attackers to keep long-term access without being detected. Some compromised packages used “preinstall” scripts to run automatically during installation. This makes the attack very hard to notice in normal development work.
The biggest danger is that this malware affects the entire software supply chain. Even well-known and trusted libraries can become sources of infection. Developers, organisations and automated build systems can all be impacted without any warning. Because the attack spreads widely, it puts both small and large teams at risk.
Experts recommend rotating all developer tokens and cloud credentials immediately. Teams should review recent updates, check dependency changes and pin safe versions. It is also advised to limit or block install scripts and strengthen security settings. Taking quick action is important because the worm is still active and spreading.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
