Widespread Supply Chain Compromise Impacting npm Ecosystem | CISA

Source: original

Alert

Widespread Supply Chain Compromise Impacting npm Ecosystem

Release Date

September 23, 2025

CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.[i]

After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.[ii]

The malware then:

CISA urges organizations to implement the following recommendations to detect and remediate this compromise:

See the following resources for additional guidance on this compromise:

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. [i] Ashish Kurmi, “Shai-Hulud: Self Replicating Work Compromises 500+ NPM Packages,” StepSecurity, (September 15, 2025), https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised; Kush Pandya, Peter van der Zee, and Olivia Brown, “Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages,” Socket,(September 16, 2025), https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages.

[ii] Palo Alto Networks Unit 42, “‘Shai-Hulud’ Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19),” Unit 42, Palo Alto Networks,(September 17, 2025), https://unit42.paloaltonetworks.com/npm-supply-chain-attack/.

[iii] Palo Alto Networks Unit 42, “Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19).”

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.