Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages

On September 15, 2025, a supply chain attack was discovered targeting the NPM repository with a self-replicating worm called Shai-Hulud, which has infected approximately 200 packages, including popular ones like @ctrl/tinycolor and several owned by CrowdStrike. This malware executes during the post-install phase of compromised packages, stealing credentials and attempting to exfiltrate data to sites like webhook[.]site, often making private GitHub repositories public. It uses the NPM ecosystem to spread by modifying package.json files to execute malicious scripts and employing tools like Trufflehog to discover sensitive credentials. The Sysdig Threat Research Team has been actively monitoring the worm, noting a slowdown in the spread due to quick responses. Detection and mitigation strategies involve using tools like Falco and Sysdig Secure to monitor for suspicious activities, such as creating new public repositories with specific names, and the importance of runtime threat detection is emphasized to combat the increasing frequency of supply chain attacks.