TL;DR
A new software supply chain attack has been identified, targeting the npm registry and this time impacting more than 50 packages (at the time this writing; more are being discovered) from various maintainers.
A function called NpmModule.updatePackage was inserted into the affected packages to perform several actions: download a package tarball, modify package.json, inject a local script (bundle.js), repack the archive, and republish it. This means any other packages or apps that use the newly published packages automatically get infected too.
The apparent goal of this campaign is to find secrets on developer machines, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY, using TruffleHog’s credential scanner, and publishing the collected secrets to a public GitHub repository called “Shai-Hulud.”
What happened?
First, it’s important to put this incident into context: this is the 4th attack on the npm registry.
- The first incident, on July 18th, we saw Scavenger – five popular npm (Node Package Manager) packages were compromised and modified to deliver a malicious DLL.
- Then we saw the s1ngularity attack detected by Aikido, where the attackers injected a malicious post-install script into multiple Nx package versions.
- About a week later, on September 8th, came the ‘qix’ supply chain attack, dubbed by some as “the great npm heist”. This time, via a targeted phishing campaign that led to the hijacking of the developer ‘qix’, attackers managed to upload malicious versions of these packages that started to be downloaded within a couple of hours.
And into that context comes the next big hit – the popular @ctrl/tinycolor package has been compromised. Mind you – this package has over 2 million weekly downloads!
This attack wasn’t a simple one – it’s a multi-step plan that unfolded to create this massive attack on npm packages.
It is also important to note, that there have been several reports on an extensive phishing campaign targeting npm maintainers, so this might not even be the last time we see something like this.
Entry point:
The attack begins with a minified JavaScript bundle injected into affected packages like @ctrl/tinycolor, which runs automatically when running an npm install. This payload imports six core modules, each serving a specific function in the attack chain.
The malware could publish itself into other packages owned by the same maintainer, creating a chain reaction that infected a growing number of projects that classify it as a self-propagating worm.
Credential theft:
The malware was actively looking for secrets in the victim’s environment – it dumped environment variables (process.env), scanned the filesystem with TruffleHog for things like AWS keys, connected to AWS, GCP, and Azure SDKs to pull stored secrets, and stole npm tokens, GitHub tokens, and cloud credentials.
Persistence:
In order to maintain persistence in the environment, the malware planted malicious GitHub Actions workflow file in the repositories, which runs automatically on pushes, and sends all the repository secrets to the attacker’s server.
Exfiltration:
In order to exfiltrate the data the malware builds an extensive JSON file that includes all the collected data (secrets, system information, etc).
After creating the JSON file, the malware creates a new public GitHub repository(called Shai-Hulud) and uploads the stolen data to it.
Scale & Impact
This malware has affected packages with over 2.5 billion total downloads, with an attack window of roughly 2 hours before the infected versions were removed.
This attack impacts all users using any of the infected versions:
| Package Name | Version(s) |
|---|---|
| @ctrl/tinycolor | 4.1.1, 4.1.2 |
| angulartics2 | 14.1.2 |
| @ctrl/deluge | 7.2.2 |
| @ctrl/golang-template | 1.4.3 |
| @ctrl/magnet-link | 4.0.4 |
| @ctrl/ngx-codemirror | 7.0.2 |
| @ctrl/ngx-csv | 6.0.2 |
| @ctrl/ngx-emoji-mart | 9.2.2 |
| @ctrl/ngx-rightclick | 4.0.2 |
| @ctrl/qbittorrent | 9.7.2 |
| @ctrl/react-adsense | 2.0.2 |
| @ctrl/shared-torrent | 6.3.2 |
| @ctrl/torrent-file | 4.1.2 |
| @ctrl/transmission | 7.3.1 |
| @ctrl/ts-base32 | 4.0.2 |
| encounter-playground | 0.0.5 |
| json-rules-engine-simplified | 0.2.4, 0.2.1 |
| koa2-swagger-ui | 5.11.2, 5.11.1 |
| @nativescript-community/gesturehandler | 2.0.35 |
| @nativescript-community/sentry | 4.6.43 |
| @nativescript-community/text | 1.6.13 |
| @nativescript-community/ui-collectionview | 6.0.6 |
| @nativescript-community/ui-drawer | 0.1.30 |
| @nativescript-community/ui-image | 4.5.6 |
| @nativescript-community/ui-material-bottomsheet | 7.2.72 |
| @nativescript-community/ui-material-core | 7.2.76 |
| @nativescript-community/ui-material-core-tabs | 7.2.76 |
| ngx-color | 10.0.2 |
| ngx-toastr | 19.0.2 |
| ngx-trend | 8.0.1 |
| react-complaint-image | 0.0.35 |
| react-jsonschema-form-conditionals | 0.3.21 |
| react-jsonschema-form-extras | 1.0.4 |
| rxnt-authentication | 0.0.6 |
| rxnt-healthchecks-nestjs | 1.0.5 |
| rxnt-kue | 1.0.7 |
| swc-plugin-component-annotate | 1.9.2 |
| ts-gaussian | 3.0.6 |
What should organizations do?
If there is a suspicion that one of the infected packages has infiltrated your environment, or you found the bundle.json file on your system, you need to act fast to make sure you contain the situation and minimize the impact on your environment:
- Remove the compromised versions:
npm uninstall <package_name> - Remove Malicious GitHub Actions Workflow:
rm -f .github/workflows/shai-hulud-workflow.ymlgit ls-remote --heads origin | grep shai-huludgit push origin --delete shai-hulud
- Rotate all credentials immediately: This malware targets a range of secrets and credentials, and all credentials that are suspected to be exposed should be rotated. They include: npm tokens, GitHub personal access tokens, GitHub Actions secrets, SSH keys, AWS IAM credentials, access keys, session tokens, Google Cloud service account keys, OAuth tokens and more.
- Audit cloud infrastructure: Make sure the attackers haven’t gained access to your cloud infrastructure users, and if they did – how bad was the impact on the compromised account.
And in general, given this threat vector, and the fact that it has been repeated multiple times in the past month, there are some security controls & practices we recommend for any organization using open-source dependencies (especially in the cloud, API environments, or with cryptographic/financial / AI workloads):
- Dependency inventory & SBOMs (Software Bills of Materials)
Keep a regularly updated inventory of all direct and transitive dependencies. Use SBOM tools to know which versions are in use. - Pinning & version awareness
Pin dependency versions (or ranges) so that unexpected upward-version jumps are visible (or blocked). Ensure that CI/CD pipelines enforce approved versions. - Package integrity & verification
Where possible, use tools that verify package signatures, code hashes, or use registries that support cryptographic signing. Check integrity of packages before build. - Maintainer credential hygiene
- Enforce 2FA (strong MFA) for all maintainer accounts.
- Train maintainers to recognize phishing (spoofed support emails, 2FA reset requests).
- Limit shared/privileged access (don’t use personal accounts for publishing rights if possible, separate duty accounts).
- Monitoring for anomalous package behavior
- Watch for unusual version publishes from core packages.
- Behavior scanning (static & dynamic) to detect injections, credential leaks, or cryptomining/wallet hijacking logic.
- Use runtime protection: scanning for unexpected outbound communication (e.g. wallet redirectors, exfiltration).
How can Orca help?
Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Cloud Security Platform leverages Orca’s patented SideScanning™ technology to provide complete coverage and comprehensive risk detection.
Additionally, Orca provides:
- Data Security Posture Management (DSPM): Orca provides DSPM capabilities that helps organizations secure their sensitive data. Orca can help you quickly identify which secrets are present in your environment and where, simplifying and accelerating the process of understanding which secrets were exposed in case of a known attack, and general management of sensitive information day-to-day.
- Inventory: Orca tracks all your cloud assets and identities across your cloud estate, including users, services, and packages. In an attack such as this one, we can help you quickly discover which systems are compromised and help you maintain the incident as fast as possible.
- Exposure management: Even if you accidentally downloaded a malicious npm version, it is not as scary as it could have been if your system does not have any outgoing network permitted. With correct identification of relevant systems you can effectively prioritize how to best detain the situation.
Learn more
Interested in learning more about the Orca Platform? Schedule your personalized 1:1 demo.
