Self-replicating Shai-hulud worm spreads token stealing malware on npm
Essential information
- Published
- 16/09/2025 21:37
- Modified
- 17/09/2025 11:56
- Tags
- 2025-09-16 npm open-source package compromise self-replicating shai-hulud supply-chain token-stealing worm
- Related entities
- 1 malware
Description
A self-replicating worm named Shai-hulud has been detected on the npm registry, spreading through compromised developer accounts and injecting malicious code into legitimate packages. The worm steals cloud service tokens, primarily targeting npm, GitHub, AWS, and GCP. It also installs Trufflehog to detect additional secrets. The compromised packages include popular ones with millions of weekly downloads. The worm's functionality includes auto-spreading, token theft, and exposing private repositories. Similarities with previous npm compromises have been noted. The impact is significant, affecting numerous developers and organizations across various industries.