Categories: Cyber Security News

CISA Warns of Shai-Hulud Self-Replicating Worm Compromised 500+ Packages in npm Registry

CISA has issued an urgent security Alert in response to a large-scale software supply chain attack on npmjs.com, the world’s largest JavaScript package registry. 

A self-replicating worm, dubbed Shai-Hulud, has infiltrated more than 500 npm packages and injected malicious code that aggressively spreads by abusing developer credentials and npm publish workflows.

Self-Replicating npm Supply Chain Threat

Sponsored

After securing initial access presumably via a compromised maintainer account, Shai-Hulud deploys a sophisticated payload that scans for sensitive credentials stored in environment variables and local configuration files. 

The malware targets GitHub Personal Access Tokens (PATs) and API keys for AWS, GCP, and Azure, exploiting common CI/CD practices where tokens are inadvertently persisted. 

Once harvested, credentials are exfiltrated to an actor-controlled endpoint and simultaneously uploaded to a public GitHub repository named Shai-Hulud via the GitHub/user/repos API.

Shai-Hulud then uses an automated loop to authenticate to the npm registry with stolen tokens. Leveraging the npm CLI, it injects malicious JavaScript into the entry point file often index.js of other packages in the compromised developer’s dependency tree. 

Following the injection, the worm executes’ npm version patch && npm publish –access public’ to publish a trojanized version, thereby perpetuating its spread. 

Sponsored

The worm’s self-replication mechanism exploits transitive dependencies: any project depending on one of the compromised packages can inadvertently become a new host.

Mitigations

CISA recommends immediate action to detect and remediate this compromise:

  • Examine all package-lock.json and yarn.lock files to identify packages released after September 16, 2025. Use npm audit and static analysis tools to flag unexpected code changes or additional postinstall scripts.
  • Rotate all developer credentials and revoke exposed GitHub PATs. Enforce phishing-resistant multi-factor authentication (MFA) on every developer account, particularly for GitHub and npm registry logins.
  • Implement IDS/IPS rules to monitor anomalous SSH and HTTPS connections. Block outbound traffic to known suspicious endpoints, including webhook.site domains, and audit firewall logs for unexpected DNS queries and egress to unfamiliar IP ranges.
  • Remove unnecessary GitHub Apps and OAuth permissions. Enable branch protection rules, secret scanning, and Dependabot security updates. Audit webhooks and repository-level secrets for unauthorized changes.
  • Pin dependencies to known safe versions published prior to September 16, 2025. Set strict semver ranges (e.g., “lodash”: “4.17.21”) in package.json to prevent inadvertent updates to compromised releases.

Enhanced vigilance across the development pipeline is crucial to stem the worm’s propagation and safeguard the integrity of the npm ecosystem.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Shai-Hulud Self-Replicating Worm Compromised 500+ Packages in npm Registry appeared first on Cyber Security News.

rssfeeds-admin

Recent Posts

Rockford Association for Minority Management honors 36 scholarship recipients

CHERRY VALLEY, Ill. (WTVO) — The Rockford Association for Minority Management celebrated the 45th annual…

3 hours ago

Everything Coming to Paramount+ in March 2026

Paramount+ subscribers have a lot to look forward this month, with a little bit of…

4 hours ago

Dimiterscu Wine, Tofu, and 26 More Brilliant Little Resident Evil Requiem Details

This article contains spoilers for Resident Evil Requiem. Resident Evil Requiem finally sees the series…

6 hours ago

Marathon Review So Far

From ARC Raiders to Escape From Duckov, extraction shooters seem to be enjoying something of…

6 hours ago

Pokémon Winds and Waves Region Is Indeed Based on Southeast Asia, Filipinos Can Confirm

It's a very exciting time for the Pokémon community with the reveal of the 10th…

6 hours ago

Education Department data shows foreign contracts, gifts to US colleges topped $5B in 2025

People walk past blooming trees on the Harvard University campus in Cambridge, Massachusetts, in April…

6 hours ago

This website uses cookies.