Self-Replicating Shai Hulud Worm Infects NPM Packages

The recent discovery of the self-replicating Shai Hulud worm targeting NPM packages marks a significant escalation in supply chain attacks within the software development ecosystem. This worm propagates by injecting malicious code into JavaScript packages hosted on the NPM registry, which are then unknowingly downloaded and integrated by developers worldwide. The attack leverages the trust developers place in open-source packages, enabling widespread infection and potential data breaches or system compromises. Shai Hulud's self-replication mechanism allows it to spread rapidly across projects, making mitigation challenging. The worm's payload can execute arbitrary code, steal sensitive information, and create backdoors for persistent access. This incident underscores the critical need for enhanced security measures in package management systems, including rigorous code audits, dependency monitoring, and automated threat detection tools. Developers and organizations are urged to review their dependencies carefully, implement strict access controls, and stay informed about emerging threats in the software supply chain. The Shai Hulud worm serves as a stark reminder of the vulnerabilities inherent in open-source ecosystems and the importance of proactive cybersecurity practices to safeguard software integrity and protect end-users.

This Cyber News was published on www.darkreading.com. Publication date: Tue, 16 Sep 2025 20:25:06 +0000

Cyber News related to Self-Replicating Shai Hulud Worm Infects NPM Packages

Self-Replicating Shai Hulud Worm Infects NPM Packages - The recent discovery of the self-replicating Shai Hulud worm targeting NPM packages marks a significant escalation in supply chain attacks within the software development ecosystem. This worm propagates by injecting malicious code into JavaScript ...
3 weeks ago Darkreading.com

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com

Self-Replicating Worm Hits 180 Software Packages - A newly discovered self-replicating worm has compromised over 180 software packages, posing a significant threat to the software supply chain. This worm propagates by injecting malicious code into legitimate software packages, which are then ...
3 weeks ago Krebsonsecurity.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

Shai-Halud Supply Chain Attack: A New Threat to Cybersecurity - The Shai-Halud supply chain attack represents a significant escalation in cyber threats targeting global supply networks. This sophisticated attack exploits vulnerabilities in software supply chains, allowing threat actors to infiltrate multiple ...
3 weeks ago Cybersecuritynews.com

Supply Chain Worm Infects Hundreds of NPM Packages - A recent supply chain attack has compromised hundreds of NPM packages, posing significant risks to the JavaScript development community. This widespread infection involves malicious actors injecting harmful code into popular open-source libraries, ...
3 weeks ago Infosecurity-magazine.com

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
6 months ago Cybersecuritynews.com

npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
2 months ago Bleepingcomputer.com

Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack - Let's say TensorFlow wants to run a set of tests when a GitHub user submits a pull request. TensorFlow can define these tests in a yaml workflow file, used by GitHub Actions, and configure the workflow to run on the `pull request` trigger. One type ...
1 year ago Securityboulevard.com

Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
6 months ago Cybersecuritynews.com Lazarus Group

3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com

Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
6 months ago Cybersecuritynews.com Lazarus Group

Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
5 months ago Cybersecuritynews.com

New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
6 months ago Bleepingcomputer.com

P2PInfect Botnet Is Now Targeting MIPS-Based IoT Devices - The operator behind the growing P2PInfect botnet is turning their focus to Internet of Things and routers running the MIPS chip architecture, expanding their list of targets and offering more evidence that the malware is an experienced threat actor. ...
1 year ago Securityboulevard.com

Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters

Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
2 months ago Bleepingcomputer.com

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
5 months ago Cybersecuritynews.com

Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
5 months ago Cybersecuritynews.com

GitHub tightens npm security with mandatory 2FA for access tokens - GitHub has announced a significant security enhancement for npm package maintainers by mandating two-factor authentication (2FA) for all access tokens. This move aims to bolster the security of the npm ecosystem, which is critical given the ...
2 weeks ago Bleepingcomputer.com

Arch Linux pulls AUR packages that installed Chaos RAT malware - Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The AUR is a repository where Arch Linux users can publish package build scripts ...
2 months ago Bleepingcomputer.com

New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
6 months ago Cybersecuritynews.com