A supply chain attack has compromised at least 187 npm packages, impacting developers in the JavaScript and Node.js communities. The worm, named Shai-Hulud, was first identified on September 15, 2025, and has since been linked to a broader campaign that includes the earlier Nx supply chain attack.
The Timeline of the Attack
The Shai-Hulud worm was first identified on September 15, 2025, linked to the earlier Nx supply chain attack and recent npm phishing campaigns.
On September 16–17, 2025, Socket.dev confirmed that about 25 CrowdStrike-related npm packages were briefly compromised, though CrowdStrike quickly removed them and rotated credentials.
In the days after, advisories confirmed that at least 187 npm packages had been impacted, making Shai-Hulud one of the most dangerous self-replicating supply chain worms to date.
How the Attack Unfolded
The Shai-Hulud worm operates by adding malicious JavaScript code (bundle.js) into npm packages.
Once installed, the compromised package runs a post-install script that collects sensitive information like GitHub tokens, npm tokens, cloud access keys, and sends it to attacker-controlled servers on GitHub.
The worm spreads further by using stolen npm tokens to release harmful versions of other packages the developer controls, reaching more users.
CrowdStrike Affected
Among the affected entities is cybersecurity firm CrowdStrike, where Security platform Socket.dev reports that around 25 npm packages were briefly impacted.
CrowdStrike quickly removed the malicious packages and rotated associated keys. A spokesperson confirmed the packages were not used in the Falcon sensor platform, and customers remained protected. The firm is working with npm to investigate further.
Rising Supply Chain Attacks
Recently, attackers tricked developers with a phishing campaign pretending to be npm, targeting developers updating multi-factor authentication. About two dozen npm packages were affected.
Shai-Hulud demonstrates the growing danger of supply chain attacks: this self-replicating worm spreads through packages relied on by developers and companies, even catching well-protected teams off guard.
Unlike earlier attacks that required manual updates, Shai-Hulud can compromise all packages maintained by a developer, potentially affecting multiple projects and exposing credentials and cloud accounts.
This incident is a wake-up call for anyone using third-party software. Even trusted packages can become a route for widespread damage. Vigilance, careful oversight of dependencies, and constant monitoring are essential to protect projects and data.
Protecting Your Projects and Organization from Supply Chain Attacks
To reduce the risk of attacks like Shai-Hulud, developers and organizations can take the following steps
1. Check Dependencies: Always review all third-party npm packages you use. Use tools like npm audit to find vulnerabilities and ensure packages are from trusted sources
2. Change Credentials: Update any tokens, secrets, or keys that could have been exposed, including npm tokens and cloud service credentials
3. Limit Access: Apply least-privilege policies. Give only the permissions necessary to developers, tools, and CI/CD pipelines. Limiting access reduces the potential impact of a compromised account.
4. Monitor Builds: Keep an eye on unusual changes or unexpected workflows. Automated checks and alerts help detect unusual changes or unexpected workflows early
5. Report Suspicious Activity: Notify your team or security contacts immediately if you notice unusual behavior in a package. Sharing information with platforms like npm or GitHub can help stop attacks faster.
6. Stay Informed: Follow updates from package maintainers, security advisories, and trusted sources so you can respond quickly to threats.
This attack is a reminder that open-source security is only as strong as the packages you rely on. Treat your dependencies with the same care as your own systems, and make security checks a regular part of your workflow.
Loved this? Join our newsletter for up-to-date cyber news and tips to stay safe.