216.73.217.172

Self-replicating Shai-hulud worm spreads token stealing malware on npm

· Published 16/09/2025 21:37 · Modified 17/09/2025 11:56

Export JSON

Essential information

Published
16/09/2025 21:37
Modified
17/09/2025 11:56
Tags
2025-09-16 npm open-source package compromise self-replicating shai-hulud supply-chain token-stealing worm
Related entities
1 malware

Description

A named has been detected on the registry, spreading through compromised developer accounts and injecting malicious code into legitimate packages. The steals cloud service tokens, primarily targeting , GitHub, AWS, and GCP. It also installs Trufflehog to detect additional secrets. The compromised packages include popular ones with millions of weekly downloads. The 's functionality includes auto-spreading, token theft, and exposing private repositories. Similarities with previous compromises have been noted. The impact is significant, affecting numerous developers and organizations across various industries.

External references