Overview

• Researchers report an active supply‑chain campaign that began with @ctrl/tinycolor and expanded to at least 187 packages, including some under CrowdStrike’s namespace.
• Compromised releases carry a postinstall bundle.js that runs TruffleHog, scans environments and cloud metadata for secrets, validates tokens via npm and GitHub, plants a GitHub Actions workflow, and exposes data to a webhook and public repos named Shai‑Hulud.
• The worm abuses valid npm tokens to modify and republish a maintainer’s most‑used packages, driving cascading compromise; analyses note Linux and macOS focus with Windows often skipped.
• npm rolled back tainted versions as maintainers removed malicious publishes and rotated credentials; CrowdStrike says affected npm packages were pulled and its Falcon platform is unaffected.
• Wiz and others assess links to the late‑August s1ngularity/Nx token‑theft incidents, with ReversingLabs pointing to rxnt-authentication as an early seed, and teams urge uninstalling bad versions, rotating all secrets, and auditing developer and CI systems.