npm (Shai-Hulud) Supply Chain Attack

By
Editor Dataproof
-
0
27

What is the Attack?

On November 24, 2025, Shai Hulud launches a second supply-chain attack, compromising Zapier, ENS, AsyncAPI, PostHog, and Postman, along with over 25,000 affected repositories across ~350 unique users.
Shai Hulud 2.0 Strikes Again: Malware Supply-Chain Attack Hits Zapier & ENS Domains

On September 8, 2025, attackers phished the npm maintainer “qix” and stole their two-factor authentication (2FA) credentials. With that access, they published malicious versions of some very popular npm packages (including debug, chalk, and ansi-styles).

The impact is considered high risk for applications that serve frontend JavaScript, especially those handling payments, cryptocurrency, or wallet flows. Reports indicate that these compromised versions were live for about two hours before removal.

According to the CISA Alert on this incident, the campaign also involved a self-replicating worm publicly known as “Shai-Hulud,” which compromised over 500 packages. After gaining initial access, the malicious actor deployed malware that scanned environments for sensitive credentials. The attacker specifically targeted GitHub Personal Access Tokens (PATs) and API keys for major cloud platforms, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

What is the recommended Mitigation?

  • Dependency Controls
    – Pin dependencies to known-safe versions.
    – Blocklist malicious versions in private registries/proxies.
    – Rebuild from a clean state and invalidate CDN caches.

  • Credential Hygiene
    – Rotate npm, GitHub, and cloud tokens.
    – Enforce phishing-resistant MFA (e.g., hardware keys).

  • CI/CD Hardening
    – Audit secrets, webhooks, and GitHub Actions.
    – Enable secret scanning and branch protections.
    – Add guardrails to detect tampered dependencies before production build.

  • Network & Runtime Defense
    – Block outbound traffic to known exfiltration domains.
    – Continuously monitor for new IoCs related to npm compromise.

What FortiGuard Coverage is available?

  • FortiCNAPP Cloud-Native Application Protection Platform can help protect and detect related threats using the following services and features:
    How does Lacework FortiCNAPP Protect from… – Fortinet Community

    • Vulnerability Management & SCA: Detects the presence of compromised NPM Packages.

    • SAST: Detects malicious scripts present if compromised NPM packages are downloaded.

    • Runtime Threat Detection: If a compromise occurs, runtime threat detection will detect associated actions with this attack through Composite Alerts.

  • Web Filtering: Blocks access to domains controlled by attackers.

  • Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs.

  • FortiGuard Antivirus & Behavior Detection: Detects malicious JS/HTML payloads (Shai-Hulud) from poisoned npm packages and advanced behavioral analysis to detect and block unknown threats. Virus | FortiGuard Labs

  • FortiEDR / FortiClient: Detects suspicious script execution and unauthorized Git/token harvesting on endpoints.

  • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

– Read more

RELATED ARTICLESMORE FROM AUTHOR