Shai‑Hulud npm worm: self‑replicating supply chain attack, secret theft, and repo exposure

As of September 18, 2025, organizations that build or run JavaScript software face a high‑risk supply chain incident: the Shai‑Hulud npm worm is actively compromising maintainer accounts, inserting a malicious postinstall bundle.js into popular packages, harvesting tokens and secrets, and mass‑migrating private GitHub repositories to public. Evidence shows large‑scale propagation and data exposure; no CVE/KEV entry applies because this is a campaign, not a product vulnerability. Immediate secret rotation, repo review, and dependency hygiene are required. [1][16] (reversinglabs.com)

Overview

ReversingLabs identified Shai‑Hulud on September 15, 2025, noting weaponized node package manage (npm) accounts publishing new, infected versions that auto‑run bundle.js during install (via postinstall). The payload steals npm, GitHub, AWS, and GCP tokens (and more, boosted by TruffleHog), then exfiltrates to GitHub by creating a “Shai‑Hulud” repository (data.json, double‑Base64). It also flips private repos to public with “-migration” names, enabling further reconnaissance and credential discovery. [1] (reversinglabs.com)

The earliest malicious publication ReversingLabs attributes to the outbreak is rxnt-authentication 0.0.3 on September 14, 2025 at 17:58:50 UTC (“patient zero”), with rapid spread to hundreds of packages—some with very high download counts, magnifying downstream risk. [1] (reversinglabs.com)

This campaign’s TTPs echo the late‑August Nx “s1ngularity” compromise, where GitHub and npm tokens were stolen, secrets and files were pushed to attacker‑named repos, and later 6,700+ private repos were made public—demonstrating how exfiltrated credentials fuel cascading compromise across ecosystems. [12][15] (wiz.io)

Wiz’s Shai‑Hulud write‑up further details the worm’s self‑propagation: upon encountering additional npm tokens, it re‑publishes malicious versions for any packages it can access; it also deploys a malicious GitHub Actions workflow that exfiltrates secrets to a webhook[.]site endpoint and mass‑migrates private repositories. [13] (wiz.io)

Impact

• Credential theft enables unauthorized access to source code, CI/CD, and cloud resources, risking further supply chain tampering and cloud account compromise. [1][13] (reversinglabs.com)
• Public exposure of previously private repositories increases the chance of secondary exploitation (secret discovery, vulnerability mining, IP theft). Nx’s aftermath illustrates the scale: 6,700+ private repos made public and thousands of secrets and files exposed. [12][15] (wiz.io)
• Operationally, organizations may need emergency secret rotation, package rebuilds, and widespread repo hygiene, including hunting for attacker‑created branches and workflows. [1][13] (reversinglabs.com)

Affected Products & Versions

• The npm packages published by compromised maintainers; examples cited by researchers include @ctrl/tinycolor (2M+ weekly downloads), ngx‑bootstrap (~300k), and ng2‑file‑upload (~100k). Expect multiple maintainers and hundreds of packages/versions to be involved. [1][16] (reversinglabs.com)
• Earliest observed malicious package: rxnt‑authentication 0.0.3 (published September 14, 2025 17:58:50 UTC). [1] (reversinglabs.com)
• Platforms targeted: payload execution has been confirmed on Linux and macOS environments during npm install; several analyses note deliberate skipping of Windows. [14] (stepsecurity.io)
• Fixed versions: no universal “patch” exists; maintainers must republish clean versions and revoke tokens. Consumers should pin and verify versions and signatures/provenance where available. [1][4] (reversinglabs.com)

Exposure & Exploitability

• Initial access: compromise of maintainer credentials/tokens, followed by malicious re‑publishing with postinstall execution—mapped to ATT&CK Supply Chain Compromise (T1195). [1][8] (reversinglabs.com)
• Lateral expansion: valid account abuse (npm/GitHub/cloud tokens) to spread and deepen access (ATT&CK Valid Accounts T1078). [13] (wiz.io)
• Exfiltration: attacker‑created GitHub repos (T1567.001) and webhooks (T1567.004) drive data removal and “repo migration” exposure. [1][9][10] (reversinglabs.com)
• Exploit maturity: active and automated propagation with observed mass repo exposure; meaning there is a high likelihood of additional victims if tokens remain valid or dependencies are unpinned. [12] (wiz.io)

Detection & Telemetry

Prioritize unified visibility across endpoints, Git hosting, CI/CD, and network egress:

• GitHub Audit Logs (Org/Enterprise)
  • Hunt for repo.create events tied to repos named “Shai‑Hulud” or suffixed “-migration,” and for sudden visibility changes to public. [6] (docs.github.com)
  • Look for org_credential_authorization.deauthorize (GitHub‑initiated mass revocations) to confirm remediation cadence and potential residual risk. [7] (docs.github.com)
• Repository/Content Indicators
  • New branch named shai‑hulud; presence of .github/workflows/shai‑hulud‑workflow.yml in any repo; commits authored from unusual IPs/agents. [1][13] (reversinglabs.com)
• Endpoint/Process Telemetry (developer workstations, CI runners)
  • Node/npm invoking postinstall to run large bundle.js (3MB+), spawning trufflehog, curl/wget to webhook[.]site, or gh CLI automation; npm version patch && npm publish from atypical hosts. [1][14] (reversinglabs.com)
• Network Egress
  • HTTPS to api.github.com with abnormal create/fork/migration patterns; traffic to webhook[.]site domains and sudden spikes of Git operations from build/test hosts. [1][10] (reversinglabs.com)
• ATT&CK Mapping
  • T1195 (Supply Chain Compromise), T1078 (Valid Accounts), T1567.001 (Exfiltration to Code Repository), T1567.004 (Exfiltration Over Webhook). [8][9][10] (attack.mitre.org)

Recommended analytics examples:

• Alert when npm install runs with scripts and fetches remote resources during postinstall; correlate to package.json diffs adding postinstall in newly published versions. [1][3] (reversinglabs.com)
• Detect newly public repos named “Shai‑Hulud Migration” under employee accounts within a short time window; pivot to corresponding token use and IP reputation. [1] (reversinglabs.com)

Mitigations & Patching/Workarounds

• Revoke/rotate all GitHub, npm, cloud tokens found on affected systems; audit GitHub for new repos/branches/workflows tied to “Shai‑Hulud,” and remove them. [1][13] (reversinglabs.com)
• Pin dependencies and temporarily disable lifecycle scripts in sensitive CI paths (e.g., npm ci –ignore-scripts) while assessing impact; re‑enable with allow‑lists only. [3][10] (docs.npmjs.com)
• Prefer npm “Trusted Publishing” (OIDC) with provenance over long‑lived tokens; enforce granular access tokens and 2FA for maintainers. [4][5] (docs.npmjs.com)
• Validate and rebuild from clean source with provenance where available; verify that newly republished package versions remove postinstall and embedded bundle.js. [4] (docs.npmjs.com)

Timeline

• August 26–31, 2025: Nx “s1ngularity” attack phases—initial malicious npm versions, then 6,700+ private repos made public using stolen tokens; remediation and revocations follow. [12][15] (wiz.io)
• September 14, 2025 17:58:50 UTC: First known Shai‑Hulud malicious package (rxnt‑authentication 0.0.3) published. [1] (reversinglabs.com)
• September 15, 2025: ReversingLabs detects the Shai‑Hulud outbreak; early public indicators emerge. [1] (reversinglabs.com)
• September 16, 2025: ReversingLabs publishes technical analysis consolidating worm behavior, IOCs, and repo migration patterns. [1] (reversinglabs.com)
• September 17, 2025: Media and additional researchers report 180+ impacted packages and 700+ malicious versions published; further IOCs shared. [16] (securityweek.com)
• September 18, 2025: This advisory issued, synthesizing latest research for defenders.

References

1. ReversingLabs – Self‑replicating Shai‑hulud worm spreads token‑stealing malware on npm (September 16, 2025). (reversinglabs.com)
2. ReversingLabs – Crypto wallets targeted in widespread hack of npm, GitHub (September 9, 2025). (reversinglabs.com)
3. npm Docs – config: ignore‑scripts (how to disable lifecycle scripts). (docs.npmjs.com)
4. npm Docs – Trusted publishing for npm packages (provenance/OIDC). (docs.npmjs.com)
5. npm Docs – About access tokens (granular tokens, automation vs. publish). (docs.npmjs.com)
6. GitHub Docs – Audit log events for your organization (repo.create and related auditables). (docs.github.com)
7. GitHub Docs – org_credential_authorization.deauthorize event (mass token revocation). (docs.github.com)
8. MITRE ATT&CK – Supply Chain Compromise (T1195). (attack.mitre.org)
9. MITRE ATT&CK – Exfiltration to Code Repository (T1567.001). (attack.mitre.org)
10. MITRE ATT&CK – Exfiltration Over Webhook (T1567.004). (attack.mitre.org)
11. CISA – Exfiltration Over Web Service (T1567) overview. (cisa.gov)
12. Wiz – s1ngularity’s Aftermath: analysis of Nx supply chain attack (September 3, 2025). (wiz.io)
13. Wiz – Shai‑Hulud npm Supply Chain Attack (technical analysis and IOCs). (wiz.io)
14. StepSecurity – @ctrl/tinycolor and 40+ npm packages compromised (Shai‑Hulud deep dive). (stepsecurity.io)
15. SecurityWeek – Over 6,700 private repositories made public in Nx supply chain attack (September 8, 2025). (securityweek.com)
16. SecurityWeek – Shai‑Hulud Supply Chain Attack: 180+ npm packages hit (September 17, 2025). (securityweek.com)