Zoonop

CrowdStrike NPM Packages Among 187+ Compromised in Rapid 'Shai-Hulud' Supply Chain Attack

Image for CrowdStrike NPM Packages Among 187+ Compromised in Rapid 'Shai-Hulud' Supply Chain Attack

A recent, self-propagating NPM supply chain attack, dubbed "Shai-Hulud," has compromised over 187 packages, including several maintained by cybersecurity firm CrowdStrike. The incident highlights the rapidly evolving nature of software supply chain threats, with one observer, Damián, noting on social media how quickly a CrowdStrike blog post defending against such attacks had become "old." The attack underscores the constant challenge of maintaining robust defenses in the face of sophisticated and fast-moving cyber threats.

The "Shai-Hulud" campaign, which began around September 15, 2025, involved malicious code inserted into popular NPM packages. This malware, identified as a self-propagating worm, harvests sensitive data and exfiltrates it to attacker-controlled GitHub repositories. Security researchers from Wiz and Socket identified that the malicious code uses a bundle.js script to deploy the legitimate secret scanning tool TruffleHog, which is then abused to steal tokens and cloud credentials.

Among the compromised packages were several under the @crowdstrike namespace, such as @crowdstrike/commitlint and @crowdstrike/falcon-shoelace. A CrowdStrike spokesperson confirmed the incident, stating, "After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries." The company emphasized that these compromised packages are not used in their core Falcon sensor, and their platform remains unaffected, ensuring customer protection.

This attack follows other significant supply chain compromises in the same month, including the "s1ngularity" attack that affected GitHub accounts and phishing incidents targeting maintainers of popular NPM packages like chalk and debug. The "Shai-Hulud" campaign's ability to self-propagate by using stolen credentials to publish malicious updates to other packages by the same maintainer marks a severe escalation in supply chain attack sophistication. Cybersecurity experts are urging developers and organizations to implement immediate remediation steps, including removing malicious versions, auditing environments for signs of compromise, and rotating all potentially leaked credentials.