This morning, we were alerted to a large-scale attack against npm. This appears to the be work of the same threat actors behind the Nx attack on August 27th 2025. This was originally published by Socket and StepSecurity who noted 40 packages had been comrpomised, since then an additional 147 packages have been infected with malware including packages from CrowdStrike.
The scale, scope and impact of this attack is significant. The attackers are using the same playbook in large parts as the original attack, but have stepped up their game. They have turned it into a full worm, which does these things automatically:
- Steal secrets and publish them to GitHub publicly
- Run trufflehog and query Cloud metadata endpoints to gather secrets
- Attempt to create a new GitHub action with a data exiltration mechanism through webhook[.]site
- Iterate the repositories on GitHub a user has access to, and make them public
Since our initial alert this morning we’ve confirmed the following additional behaviours and important details. For those that don't know, Shai Hulud is the name for the worm in the Dune franchise. A clear indication of the intent of the attackers.
To avoid being compromised by packages like this, check out Aikido safe-chain!
What the worm does
- Harvest: scans the host and CI environment for secrets — process.env, scanning with TruffleHog, and cloud metadata endpoints (AWS/GCP) that return instance/service credentials.
- Exfiltrate (1) — GitHub repo: creates a repo named Shai-Hulud under the compromised account and commits a JSON dump containing system info, environment variables, and collected secrets.
- Exfiltrate (2) — GitHub Actions → webhook: drops a workflow
.github/workflows/shai-hulud-workflow.ymlthat serializes${{ toJSON(secrets) }}, POSTs them to an attackerwebhook[.]siteURL and writes a double-base64 copy into the Actions logs. - Propagate: uses any valid npm tokens it finds to enumerate and attempt to update packages the compromised maintainer controls (supply-chain propagation).
- Amplify: iterates the victim’s accessible repositories, making them public or adding the workflow/branch that will trigger further runs and leaks.
Leaking of secrets
As with the original Nx attack, we're seeing the attackers doing a smash-and-grab style attack. The malicous payload both publishes a "Shai-Hulud" repository with stolen credentials/tokens, and it will go through a GitHub account and turn private repository to public:
Self-propogation through npm
One of the most striking features of this attack is that it behaves like a true worm. Rather than relying on a single infected package to spread, the code is designed to re-publish itself into other npm packages owned by the compromised maintainer.
Here’s how the worm logic works:
- Download a target tarball – it fetches an existing package version from the npm registry.
- Modify
package.json– the worm bumps the patch version (e.g.1.2.3 → 1.2.4) and inserts a new lifecycle hook (postinstall) - Copy its own payload – the running script (
process.argv[1]) is written into the tarball asbundle.js. This ensures that whatever code infected one package now lives inside the next. - Re-publish the trojanized package – the modified tarball is gzipped and pushed back to npm using the maintainer’s credentials.
This cycle allows the malware to continuously infect every package a maintainer has access to. Each published package becomes a new distribution vector: as soon as someone installs it, the worm executes, replicates, and pushes itself further into the ecosystem.
In short: the attacker doesn’t need to manually target packages. Once a single environment is compromised, the worm automates the spread by piggybacking on the maintainer’s own publishing rights.
Impacted packages
Story developing…
Remediation Advice
- Check the versions you are using
- Clean your npm cache
- Reinstall all packages in your repository
- Make sure you use a package lock file, and use pinned versions
How to tell if you are affected using Aikido:
If you are an Aikido user, check your central feed and filter on malware issues. The vulnerability will be surfaced as a 100/100 critical issue in the feed. Tip: Aikido rescans your repos nightly, though we recommend triggering a full rescan as well.
If you are not yet an Aikido user, set up an account and connect your repos. Our proprietary malware coverage is included in the free plan (no credit card required).
For future protection, considering using Aikido SafeChain (open source), a secure wrapper for npm, npx, yarn... Safechain sits in your current workflows, it works by intercepting npm, npx, yarn, pnpm and pnpx commands and verifying the packages for malware before install against Aikido Intel - Open Sources Threat Intelligence. Stop threats before they hit your machine.
.avif)
