Shai-Hulud Worm: Inside the npm Supply Chain Attack

npm is the most widely used package registry for JavaScript, and millions of developers depend on its shared libraries to build and maintain their applications. Yet this same popularity makes it an attractive target for adversaries, since a single compromised package can quickly ripple into a full-scale supply chain attack.

In September 2025, the Shai-Hulud campaign weaponized npm with a self-replicating worm. By stealing developer credentials and abusing maintainer accounts, Shai-Hulud spread across the ecosystem and poisoned more than 500 packages, including widely used libraries such as @ctrl/tinycolor. This incident marked one of the first worm-driven supply chain compromises in open source, setting a new precedent for automated propagation at scale.

In this blog post, we break down how the Shai-Hulud worm operates and explain how organizations can defend themselves against npm supply chain attacks.

Simulate Supply Chain Attacks with 14-Day Free Trial of Picus Platform

Shai-Hulud Worm: npm Supply Chain Attack Explained

What is npm?

npm, short for Node Package Manager, is the world's largest software registry and the default package manager for Node.js. It serves as a central hub where developers can publish, share, and reuse JavaScript libraries. Instead of writing every piece of functionality from scratch, developers can pull in community-maintained packages ranging from small utility functions to full frameworks. Today, npm hosts millions of packages and supports billions of weekly downloads, making it the backbone of the JavaScript ecosystem. Since so many applications depend on third-party packages from npm, compromising even a single widely used package can ripple out to thousands of downstream applications and turn into a supply chain attack. 

Shai-Hulud Worm Targeting the npm ecosystem

On September 15, 2025, security researchers disclosed their findings about the Shai-Hulud worm, a self-replicating malware that targeted the npm ecosystem. The worm has compromised over 500 npm packages, including the widely used @ctrl/tinycolor library. The attack represents one of the first large-scale worm-style supply chain attacks in open-source software. Instead of a single malicious package, Shai-Hulud spread automatically across hundreds of npm projects by abusing developer credentials and maintainer accounts. 

How Shai-Hulud Worm Attack Works?

The Shai-Hulud campaign appears to have begun with developer account takeovers rather than a direct exploit of npm itself. Reports suggest that attackers launched a credential-harvesting phishing campaign that spoofed npm and lured maintainers into "updating" their multi-factor authentication settings. By tricking developers into handing over npm tokens and GitHub credentials, the adversaries gained valid publishing access to trusted packages.

Once the attackers had those credentials, they were able to publish modified packages containing the worm. The malicious versions added post-install scripts that executed automatically when the package was installed. These scripts harvested sensitive information such as npm tokens, GitHub personal access tokens, and cloud credentials for AWS, GCP, and Azure. Stolen data was then uploaded to attacker-controlled endpoints or even published into new public GitHub repositories named "Shai-Hulud," blending malicious activity into normal developer workflows.

Shai-Hulud is especially dangerous due to its propagation mechanism. After stealing a maintainer's npm token, it authenticated to the npm registry as that developer, injected malicious code into other packages they managed, and published new, trojanized versions. This automated cycle allowed the worm to spread with little human input. 

Researchers also noted that parts of Shai-Hulud's malicious code, specifically its bash scripts, contained signs of having been generated with a large language model (LLM). This finding indicates AI tools' involvement in accelerating malware development.

How Picus Helps Simulate npm Supply Chain and Shai-Hulud Attacks?

We also strongly suggest simulating the npm supply chain and Shai-Hulud malware attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other supply chain attacks, such as SmoothOperator, XZ Utils, and JetBrains TeamCity, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the npm supply chain and Shai-Hulud malware attacks:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address npm supply chain attacks and Shai-Hulud malware and other ransomware attacks in preventive security controls. Currently, Picus Labs has validated the following signatures for npm supply chain attacks and Shai-Hulud malware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Security Validation Platform.