{ "name": "The npm Threat Landscape: Attack Surface and Mitigations", "slug": "the-npm-threat-landscape-attack-surface-and-mitigations", "description": "The npm ecosystem experienced a critical shift in September 2025 with the Shai-Hulud worm, marking the transition from isolated attacks to systematic supply chain compromises. In April 2026, TeamPCP launched a coordinated campaign through a malicious @bitwarden/cli package targeting multiple distribution channels including Docker Hub, GitHub Actions, and VS Code extensions. The multi-stage payload employs advanced obfuscation, harvests credentials from cloud providers and developer workstations, exfiltrates data through encrypted HTTPS and GitHub repositories, and self-propagates by backdooring npm packages using stolen tokens. The malware implements GitHub's search API as a resilient command-and-control fallback mechanism and features anti-detection measures including Russian locale killswitches. This represents an evolution toward wormable propagation, infrastructure-level persistence, and dormant payloads that activate under specific conditions.", "published": "2026-04-24T22:01:57+00:00", "created_at": "2026-04-24T22:01:57+00:00", "modified_at": "2026-04-27T12:58:18+00:00", "created_at_opencti": "2026-04-24T22:01:57+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-25", "ci/cd compromise", "credential harvesting", "github", "npm packages", "obfuscation", "self-replicating malware", "shai-hulud", "supply-chain", "worm propagation" ], "related_entities": { "observables": [ { "id": "", "name": "http://audit.checkmarx.cx:443" }, { "id": "", "name": "167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad" }, { "id": "", "name": "18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb" }, { "id": "", "name": "f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d" } ], "malware": [ { "id": "5f1b5295-c3e8-4b41-934d-64d3cd228f17", "name": "Shai-Hulud", "slug": "shai-hulud" } ], "intrusion_sets": [ { "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa", "name": "TeamPCP", "slug": "teampcp" } ], "attack_patterns": [ { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "d3254e3b-07e6-4420-96e0-2e107ce17712", "name": "T1102.001" }, { "id": "5882a135-5b7e-4caf-93e8-80f7df41cef2", "name": "T1564.001" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9", "name": "T1552.001" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "9f21708c-24b6-46b5-bf7e-522256e8470c", "name": "T1552.004" }, { "id": "96df92ce-da3e-4c6d-8250-cb250c9ed619", "name": "T1554" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4", "name": "T1195.002" }, { "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099", "name": "T1098" }, { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "7c497590-4975-4cec-b8c6-e94966b6e9c3", "name": "T1087.004" } ], "others": [ { "id": "", "name": "Technology" }, { "id": "", "name": "checkmarx.cx" }, { "id": "", "name": "audit.checkmarx.cx" } ] }, "external_refs": [ "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg", "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/", "https://otx.alienvault.com/pulse/69ec0475e74facdf3bf89ce1" ] }