Shai-Halud Worm: New NPM Supply-Chain Attack Strikes CrowdStrike & Many Others

The Unseen Attack at the Heart of Modern Software

The open-source software ecosystem, the foundational infrastructure of the digital world, has recently been targeted in a series of sophisticated supply chain attacks. This report provides a detailed analysis of a major campaign attack known as the "Shai-Halud attack," compromised packages belonging to cybersecurity firm CrowdStrike, targeting their internal CI/CD pipelines.

Understanding the Software Supply Chain Threat Landscape

What is a Software Supply Chain Attack?

A software supply chain attack represents a unique and insidious form of cybercrime. It occurs when a malicious actor compromises software at its source, before it is ever delivered to a customer or user. The attack infiltrates a software vendor's network, a public code repository, or a development tool, and then embeds malicious code into the software. This compromised software then acts as a trojan, unknowingly infecting the systems of every user who downloads or updates it.

This threat is amplified by the nature of modern software development. Applications are rarely built from scratch; instead, they are complex mosaics of countless components, including proprietary code, third-party APIs, and, most critically, open-source libraries. The average software project today is composed of over 200 such dependencies. This intricate web creates an exponential risk: a single vulnerability or compromise in a widely used dependency can propagate through the entire ecosystem, affecting every business and individual who relies on that foundational component.

The Anatomy of the Shai-Halud Attack

The recent npm security incident unfolded with a unique target and method of execution. The CrowdStrike incident was part of an ongoing malicious campaign known as the "Shai-Halud attack". The compromise originated from the

@crowdstrike/publisher npm account and affected several internal-use packages, including @crowdstrike/commitlint and @crowdstrike/foundry-js.

The Malware: A Multi-Stage Threat Actor

The malicious code embedded in the compromised packages was sophisticated and multi-staged, signifying a move away from simple smash-and-grab attacks.

The malware in the CrowdStrike packages was an embedded bundle.js script with a SHA-256 hash of 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09. When executed, this script initiated a multi-stage process to evade detection and ensure long-term persistence. The first stage involved downloading and running a legitimate open-source tool called TruffleHog, which is used for scanning for secrets and credentials. By using a trusted tool for a malicious purpose, the attackers attempted to blend their activity with normal development processes, making detection more difficult. After discovery, the malware would validate the stolen credentials, such as API tokens and cloud credentials. The final stage was dedicated to establishing persistence. The malware created unauthorized GitHub Actions workflows in compromised repositories to maintain access and automate further malicious activities. All stolen data was then exfiltrated to a hardcoded webhook endpoint controlled by the attackers. This shift towards using legitimate tools and building long-term persistence mechanisms suggests a strategic effort to establish a foothold for a sustained and expanding campaign, rather than a quick theft.

The Reach: A Widespread Compromise

The impact of these attacks was far-reaching, affecting both corporate environments and the broader developer community. The CrowdStrike incident was a direct assault on corporate CI/CD infrastructure, a type of "CI/CD infrastructure attack" where malware is introduced into the development automation pipeline. This sort of attack is designed to compromise the most secure parts of an organization, leveraging the build process to reach privileged environments.

The following table provides a comprehensive list of the compromised packages and their affected versions, which is a critical tool for developers and security teams performing an audit.

Actionable Mitigation and Resiliency

For Developers and Engineering Teams

In the wake of these attacks, developers and engineering teams must adopt a proactive and systematic approach to security.

• Audit Dependencies Regularly: Developers should immediately check their package-lock.json or yarn.lock files against the list of known compromised versions. Tools that automate this process, such as Software Composition Analysis (SCA) solutions, can help identify and flag vulnerable packages.

• Implement Multifactor Authentication (MFA): Enabling MFA on all npm publishing accounts and developer tools is a critical step to prevent account takeover via phishing.
• Rotate Credentials: Any exposed npm tokens, API keys, or other secrets should be rotated immediately to prevent attackers from maintaining access to CI/CD pipelines and repositories.
• Pin Dependencies: Pinning dependencies to specific, safe versions can prevent the accidental installation of a vulnerable version that may be published with a higher version number.

For Organizations and Businesses

Beyond the developer level, organizations must establish a secure software supply chain policy as a core business function.

• Proactive Auditing: Organizations should use automated tools to gain complete visibility into their software dependencies. These tools can identify anomalous or compromised components, such as those with obfuscated code or unexpected behaviors, early in the development lifecycle.
• Generate and Maintain SBOMs: Making a Software Bill of Materials (SBOM) a standard part of the release process provides a transparent and machine-readable record of all components, enabling rapid vulnerability assessment and compliance with regulations.
• Continuous Monitoring: Continuous monitoring of CI/CD pipelines is crucial for detecting unusual npm publish events or unauthorized package modifications. Monitoring for runtime anomalies, such as unexpected network activity or API manipulations, can also provide early warnings of a compromise.
• Integrate Threat Intelligence: Subscribing to security alerts from sources like npm and integrating this threat intelligence into security tools ensures that teams can act swiftly when a new vulnerability or compromise is discovered.

The Future of Supply Chain Security

The September 2025 npm attacks are a clarion call for the entire software community. The open-source ecosystem, which is the foundation of the digital world, is now a primary target for a diverse range of malicious actors, from credential stealers to cryptocurrency hijackers. These incidents demonstrate that a reactive, perimeter-based security model is no longer sufficient.

The industry must shift toward a proactive model centered on visibility, detection, and rapid remediation. This requires a combination of human vigilance, automated tooling that can detect patterns in millions of data points per day, and a culture where security is a shared responsibility. The rapid detection of the crypto-hijacking attack by the community itself proves the immense strength of a vigilant and collaborative open-source community. Fostering this collaboration and building security into every stage of the software lifecycle is the only way to build a more resilient and trustworthy ecosystem for the future.

Technical References

• https://cybersecuritynews.com/npm-supply-chain-attack-crowdstrike/
• https://cybersecuritynews.com/npm-supply-chain-attack-crowdstrike/
• https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
• https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/supply-chain-attack/
• https://www.blackduck.com/blog/recent-npm-software-supply-chain-attack-security-lessons.html
• https://www.upwind.io/feed/npm-supply-chain-attack-massive-compromise-of-debug-chalk-and-16-other-packages
• https://www.dynamisllp.com/knowledge/npm-supply-chain-attack-crypto-security-2025