top of page

Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages

23 november 2025 om 12:53:12

stepsecurity.io

The Shai-Hulud worm has compromised over 500 NPM packages in the first successful self-replicating worm attack on the NPM ecosystem. The malware targets popular packages including @ctrl/tinycolor and automatically spreads to other maintainer packages. It harvests cloud credentials from AWS, GCP, and Azure using TruffleHog tools. The worm establishes persistence through GitHub Actions backdoors. This represents an unprecedented self-propagating supply chain attack affecting the JavaScript/Node.js ecosystem. The attack demonstrates advanced techniques combining credential harvesting with automated package propagation.

Related links:

https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

Related CVE's:

No CVEs found in this article

Related threat actors:

No threat actors found in this article

Affected products:

NPM@ctrl/tinycolorGitHub ActionsAWSGCPAzure

IOC's:

No IOCs found in this article

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page