Analysis Summary

Cybersecurity researchers have uncovered a major software supply chain attack on the npm registry, compromising more than 40 packages from multiple maintainers. Codenamed the Shai-Hulud attack, the campaign modifies package.json in affected packages, injects a malicious bundle.js script, and republishes the packages, enabling downstream trojanization.

Once installed, the script executes TruffleHog to scan developer systems for sensitive credentials such as GITHUB_TOKEN, NPM_TOKEN, and AWS keys. It validates and abuses these tokens via npm and GitHub APIs, creates malicious GitHub Actions workflows, and exfiltrates the collected data to attacker-controlled servers. This persistence ensures future CI/CD runs continue leaking secrets.

The first wave of impacted packages includes:

• angulartics2@14.1.2
• @ctrl/deluge@7.2.2
• @ctrl/golang-template@1.4.3
• @ctrl/magnet-link@4.0.4
• @ctrl/ngx-codemirror@7.0.2
• @ctrl/ngx-csv@6.0.2
• @ctrl/ngx-emoji-mart@9.2.2
• @ctrl/ngx-rightclick@4.0.2
• @ctrl/qbittorrent@9.7.2
• @ctrl/react-adsense@2.0.2
• @ctrl/shared-torrent@6.3.2
• @ctrl/tinycolor@4.1.1, @4.1.2
• @ctrl/torrent-file@4.1.2
• @ctrl/transmission@7.3.1
• ngx-color@10.0.2
• ngx-toastr@19.0.2
• ngx-trend@8.0.1
• react-complaint-image@0.0.35
• rxnt-authentication@0.0.6, and many more.

A second wave was claimed to have leveraged a compromised npm publisher account to release additional trojanized modules, including

• @crowdstrike/commitlint@8.1.1, 8.1.2
• @crowdstrike/falcon-shoelace@0.4.2
• @crowdstrike/glide-core@0.34.2, 0.34.3
• @crowdstrike/logscale-dashboard@1.205.2
• eslint-config-crowdstrike@11.0.3
• remark-preset-lint-crowdstrike@4.0.2, and others.

At least 34 GitHub accounts were compromised to host repositories containing encoded JSON data of harvested secrets.

A CrowdStrike spokesperson told GBHackers on Security, “After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation."

Separately, the another security firm reported a phishing campaign using the typosquatted domain rustfoundation[.]dev. Fake emails urged crates.io developers to rotate credentials via a fraudulent GitHub login page, aiming to steal GitHub access tokens. Although the phishing site has been taken down, no crates.io infrastructure compromise was detected.

Another incident occurred when attackers published malicious Nx packages to npm after exploiting a GitHub Actions injection vulnerability. The attackers stole an NPM publishing token, enabling them to bypass pipelines and publish trojanized versions of Nx OSS packages for 4 hours. These versions included post-install scripts that scanned user systems, abused local AI tools, and leaked results to public GitHub repositories.

The malicious Nx packages included:

• nx: 21.5.0, 20.9.0, 20.10.0, 21.6.0, 20.11.0, 21.7.0, 21.8.0, 20.12.0
• @nx/devkit, @nx/js, @nx/workspace, @nx/node: 21.5.0, 20.9.0
• @nx/eslint: 21.5.0
• @nx/key, @nx/enterprise-cloud: 3.2.0

Together, these campaigns highlight the growing risks of npm ecosystem compromise, showing how attackers can weaponize package managers to infiltrate developer environments, steal secrets, and persist within CI/CD pipelines.

Impact

• Sensitive Data Exfiltration
• Accounts Compromise
• Script Execution
• Credentials Theft

Indicators of Compromise

SHA1

• 8b98ab71cc71c8768de27af80a3e0d1bc6c8d809

URL

• https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

Remediation

• Audit all installed npm packages to identify compromised versions
• Rotate npm, GitHub, and cloud tokens to invalidate stolen credentials
• Remove malicious GitHub workflows from repositories to stop persistence
• Monitor CI/CD pipelines for unauthorized modifications or triggers
• Apply strict package integrity checks to prevent use of trojanized modules
• Enable multi-factor authentication (MFA) on all developer accounts
• Restrict permissions of access tokens to follow the principle of least privilege
• Monitor network traffic for suspicious exfiltration attempts
• Educate developers on phishing risks to avoid credential theft
• Regularly update security tools to detect emerging supply chain threats