A sophisticated supply chain attack compromised nearly 200 NPM packages, including more than 20 from CrowdStrike. Although the malicious packages were swiftly removed and CrowdStrike confirmed its Falcon platform was unaffected, the incident has raised fresh concerns about the security of JavaScript packages used outside the browser.
The attack, dubbed “Shai-Hulud” after a Dune reference, featured a self-propagating worm that infected downstream packages automatically. Researchers say the malware scanned systems for secrets, validated credentials, created unauthorized GitHub workflows, and exfiltrated data to external servers.
Security experts, including StepSecurity and Cyble, called the campaign a major escalation in supply chain threats. Cyble noted the attackers used coordinated automation and advanced persistence techniques, possibly pointing to state-sponsored involvement.
CrowdStrike responded by removing the compromised packages, rotating public registry keys, and launching an investigation. The initial entry point remains unclear, though phishing does not appear to be the cause.
Cyble and other researchers recommend urgent action, including:
- Auditing systems for compromised packages
- Rotating exposed credentials
- Scanning dependencies automatically
- Reviewing GitHub workflows for suspicious files
- Enforcing multi-factor authentication and code signing
Following a similar attack in August, Nx implemented stricter security controls, including manual release approvals and NPM Trusted Publishers.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
