Speak With A Security Expert Now

THE THREAT

On September 16th, 2025, a large-scale attack against npm was discovered, affecting 187 packages including several from CrowdStrike. The attack, attributed to the same threat actors behind the August 27th Nx attack, deployed a worm named "Shai Hulud" that automatically steals and publicly publishes secrets to GitHub, runs trufflehog to gather secrets, creates GitHub actions for data exfiltration through webhook sites, and makes private repositories public.

In response to the incident, CrowdStrike has confirmed the identification of malicious packages in the public NPM registry and has taken immediate remediation steps, including package removal and key rotation. The company has emphasized that their Falcon sensor and platform remain unaffected, and customer protection remains intact. They are currently collaborating with NPM for a thorough investigation of the incident.

eSentire has performed a thorough investigation and confirmed we do not have internal risk from any known malicious Node Package Manager (NPM) packages relating to this incident. There is no impact to our service delivery or customer protection. With any worm attack this is an ongoing and dynamic scenario, and we will continue to remain on high alert. We are proactively threat hunting and sweeping across our customer environments with eSentire Agent and exploring additional threat detection content builds across our customer base. We proactively recommend rotating all potentially compromised credentials, including npm tokens and GitHub access tokens. Organizations that rely on the impacted npm packages face the risk of data theft and follow on attacks, as such, rapid remediation is critical.

What we’re doing about it

Threat Hunts for known Indicators of Compromise (IoCs), via eSentire MDR for Endpoint and MDR for Log, are ongoing
eSentire has rotated relevant user credentials out of an abundance of caution
eSentire Threat Intelligence team is tracking this topic for additional details and detection opportunities

What you should do about it

Organizations are advised to implement a comprehensive remediation plan including immediate package audits, credential rotation, and enhanced security controls
- Immediately removing and replacing all affected packages, specifically check the project’s lockfile (package-lock.json)
  - rm -rf node_modules && npm cache clean --force
- Conducting full security audits of CI/CD pipelines and development environments
  - Remove any malicious packages and rebuild the project with clean dependencies both locally and on the CI/CD production server
- Implementing strict version pinning and package lockfiles
- Rotating all potentially compromised credentials
  - GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets
- Implementing automated security controls such as package signing, mandatory code review processes, and continuous dependency scanning
- Run tools like npm audit, Snyk, or other Software Composition Analysis (SCA) tools
- Issue an invalidation command for all affected JavaScript assets on their Content Delivery Network (CDN) to force servers to discard the cached malicious files
- Follow OWASP npm Security Best Practices in the software development life cycle
- Integrate GitHub logs into SIEM (MDR for Log) for enhanced monitoring

Additional information

The npm ecosystem has experienced a series of significant supply chain attacks in recent months, demonstrating an alarming trend in sophisticated attack methodologies. Following the Nx attack on August 27th and the Debug/Chalk package compromises on September 8th, and the most recent incident affecting CrowdStrike's npm packages highlights that even security-focused organizations are not immune to these threats. While the initial attack vector targeting CrowdStrike's packages remains undisclosed, the attackers demonstrated sophisticated capabilities by leveraging security tools like TruffleHog for credential harvesting and implementing advanced self-propagation mechanisms.

The threat actors deployed an advanced self-propagating malware dubbed "Shai Hulud," which demonstrated significant evolution from their previous Nx attack. The malware's sophisticated infection mechanism utilized automated package compromise through npm registry, affecting critical CrowdStrike components including @crowdstrike/commitlint (8.1.1, 8.1.2) and @crowdstrike/falcon-shoelace (0.4.1, 0.4.2). It incorporated self-propagation via modified package.json files, malicious postinstall hook injection, and automatic version number incrementation. Its data exfiltration capabilities were extensive, including environment variable harvesting (process.env), cloud service credential extraction from AWS and GCP metadata endpoints, and integration with TruffleHog for secret detection. The malware employed dual exfiltration channels, creating dedicated GitHub repositories and implementing GitHub Actions workflows with webhook endpoints, while encoding sensitive data in GitHub Actions logs.

The eSentire Threat Intelligence team assesses that threat actors will continue to carry out supply chain attacks by targeting npm developers. Organizations are advised to implement a comprehensive remediation plan including immediate package audits, credential rotation, and enhanced security controls. Critical steps include: 1) Immediately removing and replacing all affected packages, 2) Conducting full security audits of CI/CD pipelines and development environments, 3) Implementing strict version pinning and package lockfiles, and 4) Rotating all potentially compromised credentials, including npm tokens and GitHub access tokens. Additionally, organizations should consider implementing automated security controls such as package signing, mandatory code review processes, and continuous dependency scanning. For long-term protection, organizations should follow OWASP Software Component Verification Standard (SCVS) and implement robust Software Bill of Materials (SBOM) tracking to maintain visibility into their software supply chain dependencies.

Indicators of Compromise (IOCs)
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09	bundle.js
hxxps[://]webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7	Exfiltration endpoint
.github/workflows/shai-hulud-workflow.yml	Malicious workflow file
@ahmedhfarag/ngx-perfect-scrollbar	20.0.20
@ahmedhfarag/ngx-virtual-scroller	4.0.4
@art-ws/common	2.0.28
@art-ws/config-eslint	2.0.4, 2.0.5
@art-ws/config-ts	2.0.7, 2.0.8
@art-ws/db-context	2.0.24
@art-ws/di	2.0.28, 2.0.32
@art-ws/di-node	2.0.13
@art-ws/eslint	1.0.5, 1.0.6
@art-ws/fastify-http-server	2.0.24, 2.0.27
@art-ws/http-server	2.0.21, 2.0.25
@art-ws/openapi	0.1.9, 0.1.12
@art-ws/package-base	1.0.5, 1.0.6
@art-ws/prettier	1.0.5, 1.0.6
@art-ws/slf	2.0.15, 2.0.22
@art-ws/ssl-info	1.0.9, 1.0.10
@art-ws/web-app	1.0.3, 1.0.4
@crowdstrike/commitlint	8.1.1, 8.1.2
@crowdstrike/falcon-shoelace	0.4.1, 0.4.2
@crowdstrike/foundry-js	0.19.1, 0.19.2
@crowdstrike/glide-core	0.34.2, 0.34.3
@crowdstrike/logscale-dashboard	1.205.1, 1.205.2
@crowdstrike/logscale-file-editor	1.205.1, 1.205.2
@crowdstrike/logscale-parser-edit	1.205.1, 1.205.2
@crowdstrike/logscale-search	1.205.1, 1.205.2
@crowdstrike/tailwind-toucan-base	5.0.1, 5.0.2
@ctrl/deluge	7.2.1, 7.2.2
@ctrl/golang-template	1.4.2, 1.4.3
@ctrl/magnet-link	4.0.3, 4.0.4
@ctrl/ngx-codemirror	7.0.1, 7.0.2
@ctrl/ngx-csv	6.0.1, 6.0.2
@ctrl/ngx-emoji-mart	9.2.1, 9.2.2
@ctrl/ngx-rightclick	4.0.1, 4.0.2
@ctrl/qbittorrent	9.7.1, 9.7.2
@ctrl/react-adsense	2.0.1, 2.0.2
@ctrl/shared-torrent	6.3.1, 6.3.2
@ctrl/tinycolor	4.1.1, 4.1.2
@ctrl/torrent-file	4.1.1, 4.1.2
@ctrl/transmission	7.3.1
@ctrl/ts-base32	4.0.1, 4.0.2
@hestjs/core	0.2.1
@hestjs/cqrs	0.1.6
@hestjs/demo	0.1.2
@hestjs/eslint-config	0.1.2
@hestjs/logger	0.1.6
@hestjs/scalar	0.1.7
@hestjs/validation	0.1.6
@nativescript-community/arraybuffers	1.1.6, 1.1.7, 1.1.8
@nativescript-community/gesturehandler	2.0.35
@nativescript-community/perms	3.0.5, 3.0.6, 3.0.7, 3.0.8
@nativescript-community/sqlite	3.5.2, 3.5.3, 3.5.4, 3.5.5
@nativescript-community/text	1.6.9, 1.6.10, 1.6.11, 1.6.12
@nativescript-community/typeorm	0.2.30, 0.2.31, 0.2.32, 0.2.33
@nativescript-community/ui-collectionview	6.0.6
@nativescript-community/ui-document-picker	1.1.27, 1.1.28
@nativescript-community/ui-drawer	0.1.30
@nativescript-community/ui-image	4.5.6
@nativescript-community/ui-label	1.3.35, 1.3.36, 1.3.37
@nativescript-community/ui-material-bottom-navigation	7.2.72, 7.2.73, 7.2.74, 7.2.75
@nativescript-community/ui-material-bottomsheet	7.2.72
@nativescript-community/ui-material-core	7.2.72, 7.2.73, 7.2.74, 7.2.75
@nativescript-community/ui-material-core-tabs	7.2.72, 7.2.73, 7.2.74, 7.2.75
@nativescript-community/ui-material-ripple	7.2.72, 7.2.73, 7.2.74, 7.2.75
@nativescript-community/ui-material-tabs	7.2.72, 7.2.73, 7.2.74, 7.2.75
@nativescript-community/ui-pager	14.1.36, 14.1.37, 14.1.38
@nativescript-community/ui-pulltorefresh	2.5.4, 2.5.5, 2.5.6, 2.5.7
@nexe/config-manager	0.1.1
@nexe/eslint-config	0.1.1
@nexe/logger	0.1.3
@nstudio/angular	20.0.4, 20.0.5, 20.0.6
@nstudio/focus	20.0.4, 20.0.5, 20.0.6
@nstudio/nativescript-checkbox	2.0.6, 2.0.7, 2.0.8, 2.0.9
@nstudio/nativescript-loading-indicator	5.0.1, 5.0.2, 5.0.3, 5.0.4
@nstudio/ui-collectionview	5.1.11, 5.1.12, 5.1.13, 5.1.14
@nstudio/web	20.0.4
@nstudio/web-angular	20.0.4
@nstudio/xplat	20.0.5, 20.0.6, 20.0.7
@nstudio/xplat-utils	20.0.5, 20.0.6, 20.0.7
@operato/board	9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46
@operato/data-grist	9.0.29, 9.0.35, 9.0.36, 9.0.37
@operato/graphql	9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46
@operato/headroom	9.0.2, 9.0.35, 9.0.36, 9.0.37
@operato/help	9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46
@operato/i18n	9.0.35, 9.0.36, 9.0.37
@operato/input	9.0.27, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46
@operato/layout	9.0.35, 9.0.36, 9.0.37
@operato/popup	9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46
@operato/pull-to-refresh	9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42
@operato/shell	9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39
@operato/styles	9.0.2, 9.0.35, 9.0.36, 9.0.37
@operato/utils	9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46
@teselagen/bounce-loader	0.3.16, 0.3.17
@teselagen/liquibase-tools	0.4.1
@teselagen/range-utils	0.3.14, 0.3.15
@teselagen/react-list	0.8.19, 0.8.20
@teselagen/react-table	6.10.19
@thangved/callback-window	1.1.4
@things-factory/attachment-base	9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50
@things-factory/auth-base	9.0.43, 9.0.44, 9.0.45
@things-factory/email-base	9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50, 9.0.51, 9.0.52, 9.0.53, 9.0.54
@things-factory/env	9.0.42, 9.0.43, 9.0.44, 9.0.45
@things-factory/integration-base	9.0.43, 9.0.44, 9.0.45
@things-factory/shell	9.0.43, 9.0.44, 9.0.45
@tnf-dev/api	1.0.8
@tnf-dev/core	1.0.8
@tnf-dev/js	1.0.8
@tnf-dev/mui	1.0.8
@tnf-dev/react	1.0.8
@ui-ux-gang/devextreme-angular-rpk	24.1.7
@yoobic/design-system	6.5.17
@yoobic/jpeg-camera-es6	1.0.13
@yoobic/yobi	8.7.53
airchief	0.3.1
airpilot	0.8.8
angulartics2	14.1.1, 14.1.2
browser-webdriver-downloader	3.0.8
capacitor-notificationhandler	0.0.2, 0.0.3
capacitor-plugin-healthapp	0.0.2, 0.0.3
capacitor-plugin-ihealth	1.1.8, 1.1.9
capacitor-plugin-vonage	1.0.2, 1.0.3
capacitorandroidpermissions	0.0.4, 0.0.5
config-cordova	0.8.5
cordova-plugin-voxeet2	1.0.24
cordova-voxeet	1.0.32
create-hest-app	0.1.9
db-evo	1.1.4, 1.1.5
devextreme-angular-rpk	21.2.8
ember-browser-services	5.0.2, 5.0.3
ember-headless-form	1.1.2, 1.1.3
ember-headless-form-yup	1.0.1
ember-headless-table	2.1.5, 2.1.6
ember-url-hash-polyfill	1.0.12, 1.0.13
ember-velcro	2.2.1, 2.2.2
encounter-playground	0.0.2, 0.0.3, 0.0.4, 0.0.5
eslint-config-crowdstrike	11.0.2, 11.0.3
eslint-config-crowdstrike-node	4.0.3, 4.0.4
eslint-config-teselagen	6.1.7
globalize-rpk	1.7.4
graphql-sequelize-teselagen	5.3.8
html-to-base64-image	1.0.2
json-rules-engine-simplified	0.2.1
jumpgate	0.0.2
koa2-swagger-ui	5.11.1, 5.11.2
mcfly-semantic-release	1.3.1
mcp-knowledge-base	0.0.2
mcp-knowledge-graph	1.2.1
mobioffice-cli	1.0.3
monorepo-next	13.0.1, 13.0.2
mstate-angular	0.4.4
mstate-cli	0.4.7
mstate-dev-react	1.1.1
mstate-react	1.6.5
ng2-file-upload	7.0.2, 7.0.3, 8.0.1, 8.0.2, 8.0.3, 9.0.1
ngx-bootstrap	18.1.4, 19.0.3, 19.0.4, 20.0.3, 20.0.4, 20.0.5
ngx-color	10.0.1, 10.0.2
ngx-toastr	19.0.1, 19.0.2
ngx-trend	8.0.1
ngx-ws	1.1.5, 1.1.6
oradm-to-gql	35.0.14, 35.0.15
oradm-to-sqlz	1.1.2
ove-auto-annotate	0.0.9
pm2-gelf-json	1.0.4, 1.0.5
printjs-rpk	1.6.1
react-complaint-image	0.0.32
react-jsonschema-form-conditionals	0.3.18
remark-preset-lint-crowdstrike	4.0.1, 4.0.2
rxnt-authentication	0.0.3, 0.0.4, 0.0.5, 0.0.6
rxnt-healthchecks-nestjs	1.0.2, 1.0.3, 1.0.4, 1.0.5
rxnt-kue	1.0.4, 1.0.5, 1.0.6, 1.0.7
swc-plugin-component-annotate	1.9.1, 1.9.2
tbssnch	1.0.2
teselagen-interval-tree	1.1.2
tg-client-query-builder	2.14.4, 2.14.5
tg-redbird	1.3.1
tg-seq-gen	1.0.9, 1.0.10
thangved-react-grid	1.0.3
ts-gaussian	3.0.5, 3.0.6
ts-imports	1.0.1, 1.0.2
tvi-cli	0.1.5
ve-bamreader	0.2.6
ve-editor	1.0.1
verror-extra	6.0.1
voip-callkit	1.0.2, 1.0.3
wdio-web-reporter	0.1.3
yargs-help-output	5.0.3
yoo-styles	6.0.326

References:

[1] https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
[2] https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
[3] https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
[4] https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
[5] https://www.wiz.io/blog/s1ngularity-supply-chain-attack
[6] https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html
[7] https://supportportal.crowdstrike.com/s/article/Tech-Alert-NPM-packages-in-Public-Registries
[8] https://www.reddit.com/r/crowdstrike/comments/1nigwjp/comment/neixlcg/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
[9] https://www.cisa.gov/sbom
[10] https://owasp.org/www-project-software-component-verification-standard/

ESENTIRE SERVICES

AI Powered platform

human led response

MDR Packages and 24/7 Protection

Atlas Essentials

Atlas Advanced

Atlas Complete

24/7 Coverage

INDUSTRIES

USE CASES

Resources

SECURITY ADVISORIES

From The Blog

ABOUT ESENTIRE

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

TribalNet Annual Conference

Future Tech Strategy Forum

IT Leaders Summit

INTERFACE Salt Lake City

ILTA Roadshow Frankfurt

LATEST PRESS RELEASE

OUR PARTNERSHIPS

PARTNER PROGRAM

Search our site

Quick Links

ALL-IN-ONE MDR SERVICE →

24/7 SOC SUPPORT →

MDR PRICING AND PACKAGES →

TRU INTELLIGENCE CENTER →

MDR VENDOR COMPARISONS →

MDR CASE STUDIES →

Get Started →

Build A Quote →

Become A Partner →

Security advisories

New npm Supply Chain Attack Identified

Speak With A Security Expert Now

THE THREAT

What we’re doing about it

What you should do about it

Additional information

The Proven Choice for Managed Detection and Response

Sales and Customer Support

What we do

How we do it

Industries

Use Cases

Resources

Tools

Company

The Proven Choice for
Managed Detection and Response

Sales and
Customer Support