Particle.news
Download on the App Store
18 ARTICLES
·
3w ago

Shai-Hulud Worm Infects 187 npm Packages, Steals Secrets and Self‑Replicates via Stolen Tokens

Researchers link the campaign to August’s s1ngularity/Nx breach, cautioning that automated spread could reignite if any compromised maintainer credentials persist.

Image
Image
npm
Image

Overview

  • Security teams have cataloged roughly 180–187 compromised packages and more than 700 malicious versions, including briefly tainted CrowdStrike packages that were removed as keys were rotated.
  • The post‑install bundle.js payload runs TruffleHog to find tokens, validates them, creates public GitHub repos named “Shai‑Hulud,” and pushes a workflow that exfiltrates data to a webhook that was later disabled though logs still exposed secrets.
  • GitGuardian reported 278 leaked secrets across public repos and workflow logs, noting most were revoked quickly but dozens of GitHub tokens remained active.
  • Using any discovered npm tokens, the malware republishes trojanized versions of other packages a maintainer controls, with analyses noting it targets Linux and macOS environments and deliberately skips Windows.
  • Vendors and registries rolled back malicious releases and issued IOCs, while researchers urge uninstalling affected versions, clearing caches, auditing CI and developer systems, and revoking and reissuing all GitHub, npm, cloud and API credentials.