Introduction

In early September 2025, the npm ecosystem experienced one of its largest supply‑chain compromises to date. The campaign—referred to as the “Great npm Compromise” and its self‑propagating variant Shai‑Hulud— impacted hundreds of released versions across widely‑used libraries. Attackers compromised maintainer accounts, published malicious updates, and (in the worm phase) automated further spread.

Attack Overview

Initial Access 

Targeted phishing of maintainers; in some cases, MFA reset/abuse allowed publication rights to be hijacked.

Execution

Malicious releases harvested environment variables and cloud credentials and, in browser contexts, hijacked Web3 wallet addresses.

Propagation

The Shai‑Hulud worm leveraged stolen npm tokens to auto‑publish poisoned versions, and abused GitHub (making private repos public and injecting actions) to harvest more secrets.

Figure 1 — Attack Flow: Maintainer account takeover → malicious publish → downstream infection.

 

Postinstall execution vector

Many poisoned packages triggered via postinstall (e.g., node bundle.js), primarily affecting Linux/macOS developer hosts and CI runners.

Scope of Compromise

Trackers reported ~164 unique packages and 330+ poisoned releases. High‑profile examples included debugchalk@ctrl/tinycolorangulartics2, and multiple @nativescript‑community/* libraries. The transitive‑dependency blast radius was significant.

Evidence & Indicators

Public advisories and trackers enumerated malicious package@version entries, C2 domains, and hashes of tampered tarballs. Vendors also observed embedded secret‑scanning to discover additional credentials.

Figure 2 — IOC / Malware Behaviour: secret scanning → exfiltration → worm self‑replication.

# Lockfile auditing (example)
jq -r '.packages | to_entries[] | "\(.key)@\(.value.version)"
' package-lock.json | grep -F -f compromised.txt

Impact

Risk of credential exposure (npm/GitHub, cloud providers), malware execution on developer and CI machines, and stealthy crypto‑theft via Web3 address replacement. Organizations relying on automated updates were especially exposed.

Mitigation & Recommendations

Audit & Pin: Diff lockfiles against known bad versions; pin to safe releases.

Credential Hygiene: Rotate secrets potentially present on affected hosts/CI.

Phishing‑resistant MFA: Enforce WebAuthn/FIDO2 for maintainers.

Provenance: Adopt signing (Sigstore/in‑toto) and deterministic builds in CI.

Registry Controls: Harden account recovery; enable anomaly detection on publish events.

Figure 3 — Selected timeline of the September 2025 npm compromise.

Timeline

Sep 8, 2025 — First poisoned versions observed (e.g., debugchalk).

Sep 9–12, 2025 — Spread to @ctrl/*, Angular/NativeScript ecosystems.

Sep 12, 2025 — Wiz names and analyzes the Shai‑Hulud worm.

Sep 16, 2025 — JFrog tracker lists ~164 packages / 338 releases.

Sep 18, 2025 — Additional advisories by Unit 42, Sonatype, ReversingLabs, Sysdig.