Executive Summary

On 16/09/2025, multiple security researchers and publications reported a software-supply-chain ((tracked as Shai-Hulud) incident that injected a self-propagating credential-stealing worm (Bundle.js) code into dozens to hundreds of npm packages, including some packages published under a CrowdStrike npm account. The malicious packages reportedly exfiltrate credentials and propagate by publishing further compromised packages. The campaign briefly used the crowdstrike-publisher npm account to publish trojanised packages; CrowdStrike removed those versions and rotated public registry keys

What Happened and Confirmed impacted Elements/IOCs

• A malicious package believed first trojanised on 14 Sept 2025, 17:58 UTC was used as initial vector; it used a payload that runs TruffleHog to search for secrets on a host and cloud metadata endpoints, then exfiltrated or abused found tokens. The malware is capable of Linux/macOS execution and targets developer/CI contexts.
• The malware is described as self-replicating and credential-stealing: every install can harvest credentials and publish further infected packages:
  • @ctrl/[email protected],4.1.2
  • [email protected]
  • [email protected]
  • @crowdstrike/[email protected],8.1.2
  • @crowdstrike/[email protected]

Just to name a few.

• Common secrets which were stolen: GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, other CI secrets and PATs
• Exfiltration / staging indicators: creation of public GitHub repository names with “Shai-Hulud” in the repo name (used to publish stolen secrets), and creation of unauthorized .github/workflows/* GitHub Actions YAMLs that perform exfiltration steps
• Known attacker behavior: validation of tokens via GitHub “whoami” endpoints, contacting GitHub APIs, contacting remote webhook endpoints (reports reference webhook[.]site / attacker controlled webhooks used as exfil sinks).

Likely Adversary behaviour:

• Initial Access: compromise of npm publisher account(s) or compromise of maintainer environment with npm credentials.
• Payload: self-propagating JavaScript that exfiltrates credentials found on host, searches for local npm credentials or tokens, and uses discovered credentials to publish additional infected packages.
• Propagation: uses npm publishing APIs / GitHub APIs to create new packages or update package tarballs.
• Data exfiltration: secrets, tokens, possibly environment variables or credential files on developer machines and CI runners.

Containment & Eradication (recommended)

• If you use any affected packages: immediately remove or pin to known-good versions (downgrade or use local clean cache/artifacts).
• Rebuild: Wipe and rebuild compromised developer workstations and CI runners from known-good images. Do not rely on in-place remediation for suspect hosts.
• Registry account hygiene: For any internal or third-party publisher accounts used by your organization, enforce MFA, rotate publish tokens, and review account access logs.
• Rotate all potentially exposed credentials NOW: rotate/revoke any secrets that may have been present on developer machines or CI runners during the affected window: NPM tokens, GitHub PATs and Actions secrets, cloud provider keys (AWS, Azure, GCP). Treat tokens as compromised until proven otherwise.

Recovery & hardening

• Harden developer machines & CI: restrict access to secrets in local environments, avoid storing PATs in plain environment variables on developer devices, move build secrets to secret managers accessible only at build time.
• Implement signed packages (where possible) and verify package integrity via lockfiles and checksums.
• Add SBOM generation to CI and automatic scanning for newly published packages.

CrowdStrike Response

• Confirmed detection of several malicious npm packages in the public registry, removed those packages and rotated keys in public registries; stated the Falcon sensor/platform is not impacted and customers remain protected. Ongoing investigation with npm. Multiple security vendors (ReversingLabs, OX Security, StepSecurity, Aikido, Wiz) have analyzed the campaign and warned of its wormlike, self-propagation characteristics and the attacker goal of token/cloud-credential theft and automation of downstream compromise.

Sources

• https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180- software-packages/?utm_source=chatgpt.com
• https://thehackernews.com/2025/09/40-npm-packagescompromised-in-supply.html?utm_source=chatgpt.com
• https://www.crowdstrike.com/enus/services/respond/?utm_source=chatgpt.com
• https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hit-in-major-supply-chain-attack/