Urgent Security Advisory – “Shai-Hulud” npm Worm

DAVIES MEYER is issuing an urgent advisory about a widespread npm supply-chain compromise. 

A self-propagating malware campaign, commonly called Shai-Hulud, has been observed trojanizing npm packages by compromising maintainer credentials and inserting post-install payloads that harvest tokens and secrets.

• Propagation: Maintainer accounts are compromised; malicious packages are published; credentials are stolen and used to compromise additional packages automatically.

• Malicious actions: Post-install scripts scan for secrets (npm tokens, GitHub PATs, cloud keys) and exfiltrate them; GitHub workflows are injected for persistence.

   

• Scope: Dozens to hundreds of packages are impacted, including high-traffic ones like @ctrl/tinycolor.

1. Audit and remove affected packages; rebuild from clean sources.

2. Rotate/revoke all potentially compromised credentials.

3. Review GitHub repos/workflows for suspicious activity.

4. Enforce MFA, least privilege, and stronger CI/CD controls.

DAVIES MEYER continues to monitor vendor feeds (Unit 42, Trend Micro, Wiz, Socket, JFrog) and will publish updates with indicators of compromise (IOCs).

👉 If your team needs immediate support to audit dependencies, rotate credentials, or secure build pipelines, please contact DAVIES MEYER’s security team. We are ready to assist with urgent checks, and remediation.