Introduction
In early September 2025, the npm ecosystem experienced one of its largest supply‑chain compromises to date. The campaign—referred to as the “Great npm Compromise” and its self‑propagating variant Shai‑Hulud— impacted hundreds of released versions across widely‑used libraries. Attackers compromised maintainer accounts, published malicious updates, and (in the worm phase) automated further spread.
Attack Overview
Initial Access
Targeted phishing of maintainers; in some cases, MFA reset/abuse allowed publication rights to be hijacked.
Execution
Malicious releases harvested environment variables and cloud credentials and, in browser contexts, hijacked Web3 wallet addresses.
Propagation
The Shai‑Hulud worm leveraged stolen npm tokens to auto‑publish poisoned versions, and abused GitHub (making private repos public and injecting actions) to harvest more secrets.
Figure 1 — Attack Flow: Maintainer account takeover → malicious publish → downstream infection.
Postinstall execution vector
Many poisoned packages triggered via postinstall (e.g., node bundle.js), primarily affecting Linux/macOS developer hosts and CI runners.
Scope of Compromise
Trackers reported ~164 unique packages and 330+ poisoned releases. High‑profile examples included debug, chalk, @ctrl/tinycolor, angulartics2, and multiple @nativescript‑community/* libraries. The transitive‑dependency blast radius was significant.
Evidence & Indicators
Public advisories and trackers enumerated malicious package@version entries, C2 domains, and hashes of tampered tarballs. Vendors also observed embedded secret‑scanning to discover additional credentials.
Figure 2 — IOC / Malware Behaviour: secret scanning → exfiltration → worm self‑replication.
# Lockfile auditing (example)
jq -r '.packages | to_entries[] | "\(.key)@\(.value.version)"
' package-lock.json | grep -F -f compromised.txt
Impact
Risk of credential exposure (npm/GitHub, cloud providers), malware execution on developer and CI machines, and stealthy crypto‑theft via Web3 address replacement. Organizations relying on automated updates were especially exposed.
Mitigation & Recommendations
Audit & Pin: Diff lockfiles against known bad versions; pin to safe releases.
Credential Hygiene: Rotate secrets potentially present on affected hosts/CI.
Phishing‑resistant MFA: Enforce WebAuthn/FIDO2 for maintainers.
Provenance: Adopt signing (Sigstore/in‑toto) and deterministic builds in CI.
Registry Controls: Harden account recovery; enable anomaly detection on publish events.
Figure 3 — Selected timeline of the September 2025 npm compromise.
Timeline
Sep 8, 2025 — First poisoned versions observed (e.g., debug, chalk).
Sep 9–12, 2025 — Spread to @ctrl/*, Angular/NativeScript ecosystems.
Sep 12, 2025 — Wiz names and analyzes the Shai‑Hulud worm.
Sep 16, 2025 — JFrog tracker lists ~164 packages / 338 releases.
Sep 18, 2025 — Additional advisories by Unit 42, Sonatype, ReversingLabs, Sysdig.
References
Explore our services Resilience | A secure present, for a better future.