Shai-Hulud npm Attack: What You Need to Know

Shak

5 min read
Shai-Hulud npm Attack: What You Need to Know
Shai-Hulud 2.0 - Photo by Juanjo Jaramillo / Unsplash

Over 796 npm packages have been compromised by a self-replicating worm called Shai-Hulud, affecting more than 20 million weekly downloads (Datadog Security Labs). CISA has issued an official alert, and security researchers have identified over 25,000 GitHub repositories that have already leaked credentials (Wiz). If your JavaScript projects pull from npm, you need to verify your exposure immediately.

What Is the Shai-Hulud npm Attack?

Named after the giant sandworm from Dune, Shai-Hulud is a self-replicating malware worm that spreads autonomously through the npm ecosystem. Unlike typical supply chain attacks, this worm automatically propagates to other packages maintained by compromised developers.

The attack began in September 2025 with a targeted phishing campaign. Attackers sent emails impersonating npm support, claiming developers needed to "update their MFA settings" (Qualys). Once a maintainer entered credentials, attackers gained access to their npm account and began publishing malicious package versions. The first wave compromised over 500 packages including chalk (299 million weekly downloads) and debug (47 million weekly downloads). Within two hours, approximately 10% of cloud environments had pulled compromised packages.

The second wave, dubbed "Shai-Hulud 2.0," emerged in late November and proved far more aggressive, expanding to packages from Zapier, ENS Domains, PostHog, and Postman. At least 10 cryptocurrency-related packages were compromised including ENS libraries handling Ethereum address resolution (Aikido Security).

Attack Timeline Shai Halud 2.0

How the Attack Works

The malware executes during npm package installation, running before the install even completes. The second wave shifted from post-install to pre-install execution, dramatically increasing the attack surface (Unit 42). Even failed installations can trigger credential theft.

Shai-Hulud 2.0 introduced a notable evasion technique: it uses the Bun runtime instead of Node.js to execute its payload. According to Check Point, this is intentional to avoid detection by security tools monitoring Node.js behaviour.

Once activated, Shai-Hulud performs several malicious actions:

  • Credential harvesting: Scans for GitHub tokens, npm credentials, and cloud API keys for AWS, GCP, and Azure
  • Secret scanning: Deploys TruffleHog to find additional secrets in files and environment variables
  • Exfiltration: Creates public GitHub repositories to store stolen credentials, often with the description "Sha1-Hulud: The Second Coming"
  • Self-propagation: Uses stolen npm tokens to publish malicious versions of up to 100 additional packages
  • Destructive fallback: If unable to exfiltrate or spread, attempts to delete the victim's home directory

That last point deserves emphasis. GitLab's security team discovered the malware contains a "dead man's switch" mechanism. If Shai-Hulud cannot steal credentials or establish any exfiltration channel, it defaults to catastrophic data destruction, deleting every writable file under the user's home folder (Koi Security). This makes containment tricky since aggressive takedowns could trigger widespread data loss.

How to Check If You're Affected

The attackers use a clever exfiltration technique: instead of sending stolen data to external servers, they create public repositories on the victim's own GitHub account to dump credentials. This means checking your own account is a valid detection method.

Search your GitHub account for repositories with "Shai-Hulud" in the name or description, particularly repos you didn't create with descriptions like "Sha1-Hulud: The Second Coming" (Wiz). Also review your npm publishing history for unauthorized package versions and check for private repositories that have been made public without your knowledge.

For package-level detection, I built a custom npm vulnerability scanner that uses the deps.dev API to check dependencies beyond what npm audit covers. For a deeper dive into detection strategies, see my earlier piece on auditing the npm supply chain.

Key indicators of compromise:

  • New GitHub repositories you didn't create, especially with "Shai-Hulud" references
  • Unexpected npm package versions published under your account
  • Suspicious commits containing workflow files like "discussion.yaml"
  • Private repositories that have been made public without authorization

Immediate Steps to Take

If you suspect exposure, act quickly:

  1. Rotate all credentials: GitHub tokens, npm tokens, AWS/GCP/Azure keys, and any secrets that may have been stored in environment variables
  2. Pin package versions: Lock dependencies to known safe versions released before September 16, 2025 (CISA recommendation)
  3. Clean your environment: Run rm -rf node_modules && npm cache clean --force, then reinstall with npm ci
  4. Enable stronger authentication: Switch to FIDO-based 2FA instead of TOTP for npm and GitHub accounts
  5. Use --ignore-scripts: Consider adding ignore-scripts to your .npmrc to prevent automatic execution of install scripts

How GitHub and npm Are Responding

The severity of Shai-Hulud prompted significant platform changes. GitHub announced an overhaul of npm authentication, switching from TOTP-based 2FA to phishing-resistant FIDO/WebAuthn methods (GitHub Blog).

More urgently, npm is deprecating classic tokens entirely. All existing classic tokens will be revoked on December 9, 2025 (The Register). Organisations using classic tokens for CI/CD pipelines need to migrate to granular access tokens or trusted publishing before that deadline.

Why This Matters for Your Security Posture

Shai-Hulud represents a significant evolution in supply chain attacks. According to Check Point, the September campaign resulted in approximately $50 million in cryptocurrency theft. The November wave affected nearly 1,200 organizations including major banks and Fortune 500 firms (SIG).

This highlights a critical gap: traditional vulnerability scanning catches known CVEs after they're reported but doesn't detect newly compromised legitimate packages.

Final Thought

With npm hosting over 2 million packages and serving as the foundation for most JavaScript development, supply chain security has bumped up again in the priority list. The Shai-Hulud attack demonstrates that trusted packages from established maintainers can become attack vectors overnight.

Protecting your organisation requires a holistic approach, I find it useful to define them as four critical domains that you should encompass:

  1. Governance and Policy: Clear policies for dependency usage, vetting, and update procedures
  2. Technical Controls: Dependency scanning, version pinning, and private registries with delayed mirroring
  3. Data Security: No plaintext secrets, dedicated secret managers, least-privilege access
  4. Human Factors: Phishing awareness training and secure credential management habits

Key Resources:

References:

  • CISA (2025). "Widespread Supply Chain Compromise Impacting npm Ecosystem." September 23, 2025.
  • Datadog Security Labs (2025). "The Shai-Hulud 2.0 npm worm: analysis, and what you need to know."
  • Wiz (2025). "Shai-Hulud npm Supply Chain Attack" and "Shai-Hulud 2.0: Ongoing Supply Chain Attack."
  • Unit 42, Palo Alto Networks (2025). "'Shai-Hulud' Worm Compromises npm Ecosystem in Supply Chain Attack."
  • GitLab (2025). "GitLab discovers widespread npm supply chain attack."
  • Check Point (2025). "Shai-Hulud 2.0: Inside The Second Coming."
  • Qualys (2025). "Multiple npm Packages affected by the Ongoing Supply Chain Attack."
  • Aikido Security (2025). Analysis of cryptocurrency package compromises.
  • GitHub Blog (2025). "Our plan for a more secure npm supply chain."
  • The Register (2025). "Wormable npm attack returns as 25,000 repos spill secrets."

Read more