The “Shai-Hulud” npm Supply Chain Attack: What We Know

Have you seen Dune, the desert-world sci-fi movie with the giant sandworms? Those big-mouthed beasties are known as Shai-Hulud, and it’s no coincidence that the latest monster-sized supply chain attack borrows the name because it’s just as threatening: a self-replicating worm that burrows into the JavaScript world, siphoning secrets and propagating itself across packages.

Software supply chain attacks increased by 742% between 2019 and 2023, and they continue to grow, doubling since April. No industry is safe, but Reflectiz can help, so let’s explore what’s going on and what to do about it. 

TL;DR

Key Attack Details

• Shai-Hulud is a self-replicating malware worm that targets the npm (Node Package Manager) ecosystem, named after the giant sandworms from Dune
• Started September 15, 2025, initially hitting @ctrl/tinycolor package (2.2M weekly downloads) and spread to 500+ npm packages
• Possibly connected to the S1ngularity/Nx GitHub attack from August 2025

How It Works

• Steals maintainer credentials through phishing attacks (similar to Josh Junon/Qix incident)
• Injects malicious code into popular JavaScript packages during installation
• Automatically publishes tainted updates using hijacked tokens
• Exfiltrates stolen credentials via public GitHub repositories

Scale & Impact

• Supply chain attacks increased 742% between 2019-2023 and continue doubling since April 2025
• npm hosts 3.5 million packages – making it a prime target for widespread damage
• Affects billions of users since almost every modern JavaScript/TypeScript project uses npm

Notable Recent Supply Chain Attacks

• SolarWinds (2020) – 18,000+ organizations breached
• Log4j (2021) – billions of apps affected
• Polyfill.io (2024) – millions of websites compromised
• Multiple 2025 attacks including eslint-config-prettier, Nx/S1ngularity, and Qix phishing

Reflectiz Solution

• Provides runtime monitoring and anomaly detection for JavaScript environments
• Maps third-party dependencies and identifies suspicious behaviors
• Blocks unauthorized network calls and credential exfiltration in real-time
• Offers zero-impact deployment without requiring code changes

What’s npm?

npm stands for Node Package Manager. It’s the default package manager for Node.js, the popular JavaScript runtime. npm is the largest software registry in the world, hosting 3.5 million packages (as of May 2025), and almost every modern JavaScript/TypeScript project relies on it. This is both a strength and a weakness. Such widespread use makes npm a prime target for supply-chain attacks. Bad actors know that injecting malicious code into popular packages is like poisoning the water supply: one campaign can harm billions of victims. 

What’s a package manager?

In plain terms, JavaScript was originally built to run only in browsers, powered by their built-in engines, but it’s such a popular programming language that developers decided to set it free. A JavaScript runtime like Node.js takes that engine out of the browser and adds extra features (like file system access, servers, and OS integration). Now, anyone can use ‘the language of the web’ for backend servers, command-line tools, and desktop apps, too.

Modern apps often depend on dozens (or hundreds) of external JavaScript libraries, and npm keeps track of which versions you’re using and resolves their sub-dependencies automatically. Today’s modular websites can also call on any number of these code snippets, and npm lets developers install, update, and remove them as necessary. So, with this kind of attack, everyone using Node.js to call on code for their apps and websites may also be introducing a self-replicating worm that steals whatever it’s told to.

How did it start?

The experts aren’t sure but think it may be tied to the S1ngularity/Nx GitHub attack of August 2025. Whatever its origins, Shai-Hulud surfaced on September 15, initially hitting the popular @ctrl/tinycolor package (2.2 million weekly downloads) before cascading to over 500 affected npm packages, and counting. This isn’t just a one-off; it’s malware that steals credentials, exfiltrates them via public GitHub repositories, and auto-publishes tainted updates using hijacked tokens, so it’s best to describe it as ongoing.

Despite the uncertainty about its origin, some suspect it might have started via phishing, and a separate but similar campaign in September shows just how easy it is to fall prey to a phishing email. A maintainer called Josh Junon, known as Qix, received one that urged him to update his two-factor authentication (2FA) credentials for Node.js.

Maintainers

If you didn’t know, maintainers are the people who control the JS packages that Node.js manages. They protect their accounts with 2FA, but Josh slipped up during a busy week. It only took a moment’s lapse of concentration for him to click on the embedded link. It stole his credentials and used them to publish a rogue version of the package to the npm registry. With more than 2.6 billion downloads a week, the compromised packages were then free to go hunting for crypto wallets to empty. 

How common are supply chain attacks?

Shai-Hulud is looking for credentials rather than crypto, and it’s just the latest in a long line of common attacks. They can affect any organisation in any sector, public or private, and some may even have the resources of hostile nation states behind them, particularly those keen to fund their regimes through cybercrime, like North Korea. Here are some of the most notable attacks of recent years: 

How Reflectiz could have helped tie up the worm

Reflectiz specializes in runtime application security for web and client-side JavaScript environments, so it could have helped stem the Shai-Hulud npm supply chain attack by providing proactive monitoring, anomaly detection, and behavioral analysis of third-party code, key defenses against the worm’s propagation through compromised packages.

This attack exploited maintainer credentials to inject self-replicating malware into popular npm libraries (like @ctrl/tinycolor), which then executed during installs or runtime to steal secrets, exfiltrate data to attacker-controlled repos, and auto-publish tainted updates. Reflectiz’s tools, designed for web app supply chains, focus on JavaScript ecosystems where npm dependencies are commonplace, offering layered protection without requiring code changes. Here’s how it could have helped mitigate this kind of incident:

1. Enhanced visibility into third-party and open-source components

npm packages often form the backbone of JS apps, with dependencies creating hidden risks. Reflectiz excels at inventorying and mapping these, identifying “WHO” (vendors/tools like npm libraries), “WHAT” (their behaviors and security impact), and “WHERE” (data flows to external domains). In the Shai-Hulud case:

•  It could scan for suspicious npm integrations early, flagging the 500+ affected packages (e.g., via automated supply chain analysis) before deployment.
•  By compiling a digital inventory of components, including fourth-party dependencies, it would reveal blind spots like the worm’s use of tools (e.g., TruffleHog for secret scanning), preventing unnoticed propagation.
• This aligns with broader supply chain best practices, such as Software Bill of Materials (SBOM) mandates, which Reflectiz supports through continuous validation of patch status and licenses.

 2. Runtime Monitoring and Anomaly Detection

The worm’s payload ran silently via `postinstall` scripts, dumping credentials to GitHub and making repositories public, behaviors that stand out like a snowman at the beach in a JS runtime. Reflectiz’s runtime protection layer monitors client-side execution in real-time:

•  It detects unusual activities, like unauthorized network calls to attacker webhooks or credential exfiltration, blocking them before data loss can occur.
• Validates script behaviors against baselines; for instance, if a compromised package like `chalk` (from the related Qix phishing) altered its output to hook wallets or scan environment variables (key-value pairs often used to hold sensitive configuration data like API keys and authentication tokens), Reflectiz could alert and quarantine it.
• Zero-impact deployment (no agents or code mods) ensures it works across web apps pulling npm dependencies, reducing alert fatigue by prioritizing risks based on business impact. In past incidents like Log4j, similar monitoring has caught vulnerabilities early across numerous sites.

 3. Behavioral Protection Against Client-Side Threats

Shai-Hulud’s self-replication mimicked Magecart-style attacks, injecting malware JS that could affect web frontends. Reflectiz specializes in client-side defenses:

• Secures tags and iframes (common npm vectors) against skimming or injection, preventing the worm from executing in browsers or Node environments.
• Monitors for changes in third-party behaviors, such as a “sneaky” npm library suddenly communicating with malicious domains, directly countering the attack’s GitHub exfiltration and auto-publish tactics.
• For npm-specific flows, it could enforce privacy/compliance rules (e.g., PCI-DSS 4.0 script monitoring), blocking data leaks from builds or deployments.

 4. Proactive Risk Prioritization and Validation

   Beyond detection, Reflectiz validates security postures post-integration:

• It identifies misconfigurations or outdated npm versions (e.g., the rogue packages) via its intelligence database, enabling quick rollbacks.
•  Overall, it reduces reliance on reactive measures (e.g., npm blocklists) by providing a centralized dashboard for web asset governance, ensuring only trusted JS code runs.

In essence, while attacks like Shai-Hulud target the human layer (phishing maintainers), Reflectiz acts as a safety net for the software layer, treating npm as part of the web supply chain. Organizations using it could limit the fallout to isolated alerts rather than widespread credential theft. Register for Reflectiz here today.