Shai-Hulud worm infects 25 npm packages, including CrowdStrike's
A new cyberattack has rocked the npm ecosystem, with the Shai-Hulud worm infecting at least 187 open-source packages—including 25 from security firm CrowdStrike.
The worm spreads itself by sneaking into postinstall scripts, grabbing environment variables, cloud credentials, and GitHub tokens using TruffleHog, and then uploading that sensitive info to a public GitHub repo called "Shai-Hulud."
With those stolen tokens, it pushes malicious updates to every npm package managed by the affected account.
Shai-Hulud's self-replicating nature makes it especially concerning
Shai-Hulud targets Linux and Mac users (it skips Windows), stealing credentials and setting up GitHub Actions workflows that leak even more secrets to attacker-controlled servers.
It even flips private repos public under compromised accounts.
What makes it especially dangerous is that it's the first self-replicating worm in npm's supply chain—meaning it can spread on its own without anyone having to lift a finger.
Attack highlights need for better open-source security measures
This attack exposes some big gaps in how open-source software is protected. Automated credential theft and package takeovers could ripple through tons of projects if left unchecked.
In response, CrowdStrike and npm have removed infected packages and rotated keys to limit damage.
If you're working on code or using npm packages, now's a good time to audit your dependencies, revoke any exposed secrets, and keep an eye on your repos for weird activity.