A self-replicating worm called Shai-Hulud has infected at least 187 packages in the JavaScript npm repository. When a compromised package is installed, the malware looks for environment tokens (like npm tokens) on the developer’s machine. If found, it uses those tokens to inject itself into the developer’s top 20 npm packages and publishes new versions of them. It also steals credentials and makes them public by creating a GitHub repository with the name “Shai-Hulud.”

The worm also includes reconnaissance tools (such as TruffleHog) to search for exposed secrets and access tokens. It spreads further by using compromised npm tokens, library modifications, and publishing back to public registries. Some packages from CrowdStrike were among those infected, but those were removed rapidly and keys were rotated. The attack bypasses usual safeguards and highlights weaknesses in automation of package publication, lack of multi-factor protections, and the need for stronger developer tooling hygiene.

‍

Source: https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/