Overview

Security researchers have reported an active supply chain attack impacting the npm package ecosystem. At least 187 npm packages have been compromised with a self-propagating payload designed to infect other packages. The campaign, referred to as “Shai-Hulud”, began with the compromise of the widely used @ctrl/tinycolor package (over 2 million weekly downloads) and has since expanded to include packages published under CrowdStrike’s npm namespace.

The incident was first reported yesterday by Daniel Pereira, a senior backend engineer, and has since been investigated by supply chain security firm Socket, which initially confirmed 40 compromised packages. Subsequent analysis by Socket and Aikido researchers has raised the total to at least 187. CrowdStrike clarified that these packages are not used in the Falcon sensor, the platform remains unaffected, and customer security has not been compromised. CrowdStrike has removed the malicious packages, rotated keys in public registries, and is working with npm to support the ongoing investigation.

The compromised packages employ a worm-like mechanism that automatically infects other packages by the same maintainer, using a malicious bundle.js script. It scans for secrets with TruffleHog, compromises developer credentials, manipulates GitHub workflows, and exfiltrates data.

Affected Devices

The list of affected packages is extensive, a comprehensive list of affected package names and version numbers is available from Aikido Security here  ↗  Full list of impacted packages

Recommended Remediations

Although vendors have confirmed that their core platforms remain secure, this incident highlights the critical importance of securing software builds and pipelines. ctrl:cyber recommends affected users:

  • Rotate all secrets and CI/CD tokens
  • Review dependency trees for malicious versions
  • Pin dependencies to trusted releases
  • Limit the scope of publishing credentials