Full Report
Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.
Analysis Summary
# Incident Report: Shai-Hulud npm Supply Chain Worm
## Executive Summary
A critical npm supply chain attack, dubbed "Shai-Hulud," occurred on September 16, 2025, involving the mass publishing of malicious package versions containing self-propagating worm features and data-stealing malware. The attack leveraged compromised packages from a prior incident (s1ngularity/Nx) and successfully exfiltrated secrets via GitHub Actions leveraging stolen tokens. The attack scope included compromising over 100 packages, leading to data theft and unauthorized repository modifications across affected organizations.
## Incident Details
- **Discovery Date:** September 16, 2025
- **Incident Date:** September 16, 2025 (Publication of malicious packages)
- **Affected Organization:** Over 100 npm packages/organizations consuming them
- **Sector:** Software Development / Technology (Targeting the npm ecosystem)
- **Geography:** Global (npm ecosystem)
## Timeline of Events
### Initial Access
- **Date/Time:** September 16, 2025 (Publication date)
- **Vector:** Compromised npm packages published to the public registry.
- **Details:** Malicious versions of popular packages were published. Upon installation, a post-install script executed to harvest secrets and environment variables. The attack chain appears downstream of an earlier GitHub token theft (s1ngularity/Nx incident).
### Lateral Movement
- **Vector:** Worm-like behavior within the npm ecosystem.
- **Details:** If the installed package encounter environment variables containing npm tokens belonging to other accessible registries, it automatically publishes malicious versions of any package it can access, spreading autonomously across the ecosystem.
### Data Exfiltration/Impact
- **Data Theft:** The payload used `TruffleHog` to scan for secrets (including cloud keys from IMDS) and harvested environment variables.
- **Exfiltration Method 1 (Primary Observed):** Validated GitHub tokens were abused to create a public repository named "Shai-Hulud" containing harvested secrets (`data.json`).
- **Exfiltration Method 2 (Secondary Observed):** A malicious GitHub Actions workflow was pushed to all accessible repositories, exfiltrating secrets to an external webhook (`https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7`).
- **Repository Modification/Camouflage:** Attacker migrated private organizational repositories to public personal repositories under the attacker user, with the description “Shai-Hulud Migration” and a `-migration` suffix.
### Detection & Response
- **Detection:** Wiz Research observed the activity, noting that the external webhook used for exfiltration had been deactivated by the platform due to excessive activity (hitting the 100 callback limit).
- **Response Actions:** Users were advised to immediately remove malicious packages (`rm -rf node_modules && npm cache clean --force`) and upgrade to clean releases. Organizations were advised to audit for suspicious repository creation and migration activity.
## Attack Methodology
- **Initial Access:** Installation of malicious npm package (Supply Chain Compromise).
- **Persistence:** Not explicitly detailed for the compromised host, but persistence in the ecosystem was achieved via worming capability (automating publication of further malicious packages).
- **Privilege Escalation:** Not applicable in the traditional sense; the attack relied on the execution context of the build process where tokens (npm, GitHub) are often present.
- **Defense Evasion:** Execution via a post-install script following a legitimate package installation.
- **Credential Access:** Scanning environment variables, using an installed secret scanning tool (`TruffleHog`), and harvesting AWS IMDS-exposed cloud keys.
- **Discovery:** Local reconnaissance using secret scanning tools within the execution context.
- **Lateral Movement:** Autonomous package publishing upon finding additional npm tokens in the victim's environment.
- **Collection:** In-memory and file-based secret harvesting from the build environment.
- **Exfiltration:** Pushing secrets to a self-created public GitHub repository and using malicious GitHub Actions to push secrets to an external webhook. Repository modifications were also a form of impact/exposure.
- **Impact:** Data theft, exposure of secrets, and unauthorized modification/public exposure of private source code repositories.
## Impact Assessment
- **Financial:** Not quantified in the report, but significant due to widespread compromise.
- **Data Breach:** Secrets (including cloud keys) extracted from affected systems. At least 36 users had secrets exposed in the `data.json` file in the attacker's repository. 8 users had private repositories force-migrated.
- **Operational:** Minimal direct operational disruption listed, though the integrity of development environments was severely threatened.
- **Reputational:** High, involving a major, self-propagating supply chain attack in the JavaScript ecosystem.
## Indicators of Compromise
- **Network indicators (Defanged):** `webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7` (Target for GitHub Action exfiltration).
- **File indicators:** `data.json` (containing double-base64 encoded secrets) found in the public "Shai-Hulud" repository.
- **Behavioral indicators:** Execution of post-install scripts in npm packages, automated GitHub repository migration (private to public user repos with description "Shai-Hulud Migration"), and automatic publishing of new malicious package versions.
## Response Actions
- **Containment:** Removal of malicious package versions (`rm -rf node_modules && npm cache clean --force`). Users urged to stay vigilant as the campaign was ongoing.
- **Eradication:** Not explicitly detailed for the host, but implied by removal/upgrading of affected packages. Monitoring systems for artifact creation.
- **Recovery:** Upgrading dependency installations to known clean package releases. Auditing GitHub accounts and repositories for suspicious activity (e.g., repos named Shai-Hulud or migrations).
## Lessons Learned
- **Supply Chain Risk:** The attack demonstrated a highly effective, self-propagating worm mechanism leveraging established infrastructure (npm registry, GitHub Actions).
- **Token Exposure:** Post-install scripts retain access to highly sensitive credentials (npm tokens, GitHub tokens), which were successfully abused for further compromise and propagation.
- **Exfiltration Failure Point:** Reliance on external, free-tier services (like the webhook) for large-scale exfiltration can act as an unintentional kill switch when usage limits are breached.
## Recommendations
- Strictly vet and audit dependencies published to private and public registries (especially regarding post-install scripts).
- Implement automated monitoring for secret exposure in build environments and pipelines.
- Immediately revoke and rotate any GitHub tokens or credentials that existed in environments where malicious packages were installed.
- Audit GitHub for unauthorized changes, specifically looking for repositories named "Shai-Hulud" or private repository migrations.