Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages

The Shai-Hulud worm represents the first successful worm attack in the NPM ecosystem, infecting over 500 packages including @ctrl/tinycolor. The malware demonstrates sophisticated capabilities including credential harvesting for AWS, GCP, and Azure using TruffleHog tools. It establishes persistence through GitHub Actions backdoors and exhibits self-replicating behavior by automatically spreading to other maintainer packages. This marks an unprecedented self-propagating supply chain attack that leverages the interconnected nature of the NPM package ecosystem. The worm's ability to harvest cloud credentials and maintain persistence through CI/CD pipelines represents a significant escalation in supply chain attack sophistication.