In mid-September, cybersecurity researchers uncovered a self-propagating malware called “Shai-Hulud”, which is involved in a large-scale supply chain attack targeting a tool that helps manage JavaScript packages and dependencies. This attack leverages malicious Node Package Manager (NPM) packages planted in the NPM ecosystem used by millions of software developers worldwide. As of this writing, the ongoing attack has affected more than 700 packages, including high-profile CrowdStrike packages.

The campaign aims to compromise developers' machines, then extract credentials, tokens, and other secrets. Organizations with significant software development operations, especially those that rely heavily on NPM packages and CI/CD pipelines in their development processes, should be particularly vigilant. Shai-Hulud is capable of targeting both Windows and Linux systems.

Below, we summarize what is currently known about this attack, link to additional information, and highlight tools and resources from Recorded Future that can help organizations defend themselves. This is an evolving threat and we will be providing new information as it becomes available.

Key Shai-Hulud characteristics

The malicious Shai-Hulud payload (it’s named after the sandworms in the sci-fi epic, Dune)
is contained in trojanized NPM packages, including some important CrowdStrike packages and others with millions of weekly downloads. The attack centers on a “bundle.js” script that downloads and executes TruffleHog, a legitimate credential scanner, to collect developer and CI/CD tokens, cloud service credentials, and environment variables. The script validates tokens and exfiltrates the collected data via hard-coded webhooks and GitHub Actions workflows.

Rather than simply deploying malware on individual machines, Shai-Hulud propagates through NPM packages in a worm-like fashion while simultaneously creating unauthorized GitHub Actions workflows (“shai-hulud.yaml” or “shai-hulud-workflow.yml” files) in compromised repositories. These workflows serve as persistent backdoors that automatically exfiltrate repository secrets and sensitive data whenever CI pipelines execute, creating a self-sustaining attack mechanism that can survive even after the initial compromise is detected and remediated. This technique effectively weaponizes the victim's own development infrastructure for ongoing espionage and data theft.

High-priority next steps for this particularly dangerous attack

Add up the factors detailed above and it’s clear why this is a serious attack with potentially damaging consequences:

• Automatically spreads to new packages (worm-like behavior)
• Steals developer credentials and CI/CD pipeline tokens
• Creates persistent backdoors in GitHub repositories
• Affects some high-profile, widely used packages

Although known affected packages have been removed from the NPM registry, Insikt Group strongly advises organizations to take these steps:

• Search for and remove compromised NPM versions
• Rotate tokens
• Audit CI/CD environments
• Review repositories for unauthorized workflows or anomalous branches

What Recorded Future is doing to help clients defend against the Shai-Hulud attack

Threat Intelligence Coverage

Recorded Future is providing real-time reporting via the Insikt Group to track the evolution of this campaign, as well as highlighting background insights from previous similar attacks to offer additional context.

Malware Intelligence

The Insikt Group obtained and analyzed compromised package samples and provided IOCs, including command and control infrastructure, webhook endpoints, and file hashes. We have also conducted a detailed technical breakdown of “bundle.js” payload and attack mechanisms.

Based on static code analysis, bundle.js performs the following actions on a victim's machine:

AWS Integration Capabilities:

• Detects if an HTTP status code is a redirect
• Validates and resolves Web Identity AWS credential profiles
• Provides a fully configured AWS Security Token Service (STS) client with retry, signing, user-agent, region, and middleware setup
• Implements an IP address resolver for ipv4:// and ipv6:// URIs in Google Remote Procedure Call (gRPC)-style resolution
• Exposes AWS Secrets Manager command serializers/deserializers, such as create, get, update, delete, rotate, and replicate secrets

GitHub Repository Compromise:

• Verifies the supplied GitHub Personal Access Token (PAT) and checks if it contains repository and workflow scopes
• Fetches the default branch SHA for each repository
• Defines a new branch named "shai-hulud" and creates it across targeted repositories

Malicious Workflow Deployment:

• Creates a workflow file at path ".github/workflows/shai-hulud-workflow.yml"
• Encodes the workflow file using Base64 and uploads it to the shai-hulud branch via the Contents API
• Embeds a workflow that triggers on every push with a single step that sets "CONTENTS=${{ toJSON(secrets) }}"

Data Exfiltration:

• Uses curl to exfiltrate all available repository secrets to its command-and-control (C2) server hosted on hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
• Encodes the secrets using Base64 and prints them to the logs
• Immediately runs the workflow on the shai-hulud branch, exfiltrating secrets off-site and leaking them in job logs once a push is made

Customers can easily investigate these samples further from the Shai-Hulud Intelligence Card®.

Third-Party Intelligence

Public reporting on companies impacted by Shai-Hulud will trigger Risk Rules and Playbook Alerts, providing immediate visibility into supply chain exposure across an organization’s vendor ecosystem.

Brand Intelligence

Add "Shai-Hulud" as a keyword to your Code Repo Playbook Alerts to detect any references to this campaign in your code repositories or development environments.

Fallout and what’s next

As of this writing, it's too early to say how this attack will evolve or to assess the scale of its effects.

Additional Sources

• https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-NPM-packages?utm_medium=feed
  • https://cybernews.com/crypto/NPM-users-advanced-supply-chain-attack-infiltrates-40-packages/
  • https://x.com/feross/status/1967732902256579014
  • https://app.recordedfuture.com/portal/research/insikt/doc:-B9Srl
• https://www.aikido.dev/blog/NPM-debug-and-chalk-packages-compromised
  • https://app.recordedfuture.com/live/sc/3DMkqz2mkLyR
  • https://x.com/AikidoSecurity/status/1965073757262827796
  • https://app.recordedfuture.com/live/sc/21MCvGQ4Qusi
  • https://x.com/CharlieEriksen/status/1965134623224242208
  • https://app.recordedfuture.com/live/sc/7DUqR0yiqxs4
  • https://x.com/sifex/status/1965082909519630624
  • https://socket.dev/blog/NPM-author-qix-compromised-in-major-supply-chain-attack
  • https://app.recordedfuture.com/live/sc/6kNzRN3jdsnU
  • https://socket.dev/blog/duckdb-NPM-account-compromised-in-continuing-supply-chain-attack
  • https://app.recordedfuture.com/live/sc/1hi7Un0QRCU4
  • https://x.com/SocketSecurity/status/1965363025264914918
  • https://app.recordedfuture.com/live/sc/2qEjfYLWHQKA
  • https://www.linkedin.com/posts/advocatemack_malware-NPM-supplychain-activity-7370829639537291264-jxZD/
  • https://app.recordedfuture.com/live/sc/6efJTQoCRAqG
  • https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
  • https://github.com/advisories/GHSA8mgj-vmr8-frr6
  • https://app.recordedfuture.com/live/sc/40fEFSw5I0RG
  • https://x.com/Cyb3rMonk/status/1965149631836463252
  • https://app.recordedfuture.com/live/sc/6KqmRMDuxybB
  • https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Uncategorized/NPM%20debug%20and%20chalk%20co mpromise%20092025.md
  • https://tria.ge/250908-wl45pazyc1/behavioral2