Shai-Hulud Worm Prowls npm to Steal Hundreds of Secrets
A secret-stealing worm is spreading fast across the npm ecosystem, experts have warned
The Worm tag covers self-spreading malware that can spread rapidly, plus reported incidents, technical analysis, disruption efforts, and defensive guidance.
Search across headline titles and summaries.
Background for this topic.
Worms are malware programs that replicate and spread between systems without needing to attach to another file. They may move through exploitable network services, vulnerable applications, removable media, or other connected paths; the route depends on the family. Their defining concern is rapid propagation: one compromised host can seed many others, causing outages or resource exhaustion and, in some cases, delivering additional code or enabling unauthorized access.
Security teams should assess worm reports alongside the affected software and exposure details. Priorities include applying patches or mitigations, disabling unnecessary services, and segmenting networks to limit movement. Monitor for unusual scanning, repeated connection attempts, and clusters of similar infections. During an incident, isolate affected systems, restrict relevant communications where practical, preserve forensic evidence, and verify that vulnerable hosts are remediated before reconnecting them.
A secret-stealing worm is spreading fast across the npm ecosystem, experts have warned
The newly emerged worm has spread across hundreds of open source software packages, stealing credentials and infecting other components without much direct attacker input.
Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, and has now expanded to CrowdStrike's npm namespace. [...]
Intrusions bear the same hallmarks as recent Nx mess The npm platform is the target of another supply chain attack, with crims already compromising 187 packages and counting.…
At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.
The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk