The npm ecosystem recently experienced its third major attack, involving the compromise of numerous packages, including the @ctrl/[email protected] package, initially reported by Daniel Pereira. JFrog’s malware scanners later identified 164 malicious packages across 338 versions, all containing variations of a data-stealing payload disguised as system optimization software. This payload, known as the Shai-Hulud Data Stealer, collects sensitive information from platforms like GitHub, NPM, AWS, and GCP, and uses TruffleHog to search for secrets, subsequently storing the stolen data in a GitHub repository called Shai-Hulud. The attack's iterations suggest the attacker’s ongoing adjustments, with some versions extending to steal Azure credentials and others making repositories private. Users impacted by these compromised packages are advised to rotate access tokens for the affected services and consider using JFrog Curation for proactive defense against malicious packages. While the attack's resemblance to a previous NX CLI compromise implies a potential link, the exact attribution remains uncertain.