640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack
The new self-replicating worm iteration has destructive capabilities, erasing home directory contents if it cannot spread to more repositories. The post 640 NPM Packages Infected in New ‘Shai-Hulud’ Supply Chain Attack appeared first on SecurityWeek.
Approximately 640 NPM packages have been infected with a new variant of the Shai-Hulud self-replicating worm in a fresh wave of attacks.
The first Shai-Hulud iteration emerged in mid-September, when it infected over 180 packages in a supply chain attack leading to the exposure of GitHub, NPM, AWS, and Google Cloud credentials, Atlassian keys, and Datadog API keys.
Upon execution on a victim’s system, the malware would search for NPM tokens, enumerate the packages the victim has access to, inject them with a post-install script to propagate itself, repackage them, and then publish the malicious package versions to the repository.
Source: https://www.securityweek.com/640-npm-packages-infected-in-new-shai-hulud-supply-chain-attack/
Related breach coverage
- Bitwarden NPM Package Hit in Supply Chain Attack2026-04-24
Tied to a fresh Checkmarx supply chain attack claimed by TeamPCP, the incident references the Shai-Hulud worm. The post Bitwarden NPM Package Hit in Supply Chain Attack appeared first on SecurityWeek.
- Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist2025-12-31
The worm exposed Trust Wallet’s Developer GitHub secrets, allowing attackers to publish a backdoor extension and steal funds from 2,520 wallets. The post Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist appeared first on SecurityWeek.
- New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM2026-02-24
The malicious code propagates like a worm, poisons AI assistants, exfiltrates secrets, and contains a destructive dead switch. The post New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM appeared first on SecurityWeek.
- Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm2025-11-13
The spam campaign is likely orchestrated by an Indonesian threat actor, based on code comments and the packages’ random names. The post Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm appeared first on SecurityWeek.