GHSA-hxxf-q3w9-4xgw

Shai-Hulud is the nightmare the npm ecosystem had long feared: a self-replicating worm. First seen in September 2025 and back in a more aggressive wave around 21-24 November 2025 ("The Second Coming"), it does not just poison one package and wait. When its malware runs in a developer's environment, it harvests every secret it can find, npm tokens, GitHub tokens, cloud keys, then uses those stolen npm tokens to automatically publish itself into other packages the victim maintains, spreading from maintainer to maintainer on its own. The second wave hit more than 25,000 GitHub repositories across roughly 500 compromised accounts, leaked the stolen secrets into public repos, and, if it failed to steal credentials, tried to wipe the victim's home directory. It is the moment supply-chain malware learned to propagate like a biological infection.

Shai-Hulud, in September 2025, was the moment the npm ecosystem's worst fear came true: a worm that spreads by itself. It began with a wave of compromised packages, the most prominent being @ctrl/tinycolor (over two million weekly downloads), and from there it did something no npm attack had done before. When its malware ran on a developer's machine, it hunted for every credential it could find, then used the developer's own npm token to republish itself into all of their other packages automatically, with no attacker involvement, jumping from maintainer to maintainer like an infection. More than 500 packages were compromised, including some from CrowdStrike. It is the first true npm worm, and the template for the even more aggressive Shai-Hulud 2.0 that followed weeks later.

On 8 September 2025, the largest npm supply-chain attack ever by sheer reach hit foundational packages, chalk, debug, ansi-styles, strip-ansi, and 14 more, that together are downloaded over 2 billion times a week. The cause was a single phishing email. A respected maintainer was tricked by a fake "your npm 2FA is expiring" message into handing over his account, and the attackers published poisoned versions of his ultra-popular libraries. The payload was a crypto clipper: browser code that silently swapped any cryptocurrency address a user was sending to with the attacker's. Automated scanners flagged the poisoned versions within minutes and they were pulled within about two hours, and the actual theft came to roughly a thousand dollars, the one piece of good news in an attack that sat, briefly, under nearly the entire JavaScript ecosystem.

On August 26, 2025, attackers exploited a vulnerable GitHub Actions workflow (added Aug 21) susceptible to code injection via a crafted pull-request title to steal Nx's npm publishing token, then published malicious versions of nx (21.5.0, 20.9.0 and others) and several @nx plugins. The malware scanned the filesystem, collected credentials, npm/GitHub tokens, SSH keys and cryptocurrency wallets, and posted them to public GitHub repositories under victim accounts. Dubbed 's1ngularity', it was the first known supply chain attack to weaponize installed AI CLI tools (Claude, Gemini, q) for reconnaissance. The packages were live for about four hours and thousands of secrets were leaked.

Starting June 6, 2025, a threat actor used a leaked npm access token belonging to a maintainer without 2FA to publish malicious versions of 16-17 React Native Aria and gluestack-ui packages with over 1 million combined weekly downloads. The packages were backdoored with obfuscated Remote Access Trojan (RAT) code hidden using whitespace obfuscation, establishing command-and-control infrastructure and persistence on compromised systems. The same payload was tied to a broader campaign also hitting PyPI; end-user impact was limited by the frontend nature of the libraries and a response within 48 hours.

On March 11, 2025 between 18:42 and 20:31 UTC, reviewdog/action-setup@v1 was compromised. Attackers gained enough access to repoint the v1 tag to a malicious fork and inserted a base64-encoded payload directly into install.sh that dumped exposed secrets into GitHub Actions workflow logs. Dependent reviewdog actions (action-shellcheck, action-staticcheck, action-typos and others) were transitively affected. This compromise is believed to have been the entry point that led to the broader tj-actions/changed-files attack; deeper analysis found roughly 218 repositories actually leaked secrets.