• Business

    A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week – here’s how to stay safe

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week - here's how to stay safe

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    Compromised files replace npm packages with a combined 2 billion weekly downloads

    NPM packages from Nx targeted in latest worrying software supply chain attack

    Npm package with millions of downloads is at risk from malware hijacking

    More popular npm packages hijacked to spread malware

    North Korean hackers release malware-ridden packages into npm registry

    GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

    Are they brave or stupid? Malware targeting Russian crypto hackers found

    GitHub users targeted with dangerous malware attacks – here’s what we know

    Endgame Gear warns mouse config tool has been infected with malware

    Dangerous new Linux malware strikes – thousands of users see passwords, personal info stolen, here’s what we know

    Chinese malware is flooding GitHub pages – HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

    Criminals are using a dangerous fake free VPN to spread malware via GitHub – here’s how to stay safe

    VSCode market struck by huge influx of malicious WhiteCobra extensions – so be warned

    Minecraft players watch out – these fake mods are hiding password-stealing malware

    Another major MOVEit flaw could be on the way – here’s what we know

    A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week – here’s how to stay safe

    Sead Fadilpašić

    17 September 2025

    Attacks against npm users continue

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Shutterstock)

    A new supply-chain attack compromised at least 187 npm packages, targeting developer secrets across software projects
    Shai-Hulud worm looks to steal credentials, modify packages, and spread malware through GitHub Actions and npm tokens
    Researchers warn the number of compromised packages is likely to grow

    At least 187 malicious npm packages have been uncovered, part of a yet another major supply-chain attack against software developers.

    Security researchers from Socket, StepSecurity, and Aikido all detected an ongoing campaign, apparently being orchestrated by the same group that targeted Nx several weeks ago.
    Similar to that campaign, in this one the miscreants were also after developer secrets, including login credentials, AWS keys, GCP and Azure service credentials, GitHub personal access tokens, cloud metadata endpoints, or npm authentication tokens.

    You may like

    Compromised files replace npm packages with a combined 2 billion weekly downloads

    NPM packages from Nx targeted in latest worrying software supply chain attack

    Npm package with millions of downloads is at risk from malware hijacking

    Many affected
    However, the attack methodology evolved, the researchers noted.

    “The scale, scope and impact of this attack is significant,” they explained. “The attackers are using the same playbook in large parts as the original attack, but have stepped up their game.”
    This time around, the attackers created a worm, called Shai-Hulud (a nod to the Dune worm), which not only steals secrets and publishes them to GitHub publicly (using tools like TruffleHog and queries on cloud metadata endpoints), but also drops a malicious GitHub Action that sends secrets to an attacker-controlled webhook and hides them in logs, and uses stolen npm tokens to modify and republish every package the maintainer controls, embedding the worm in each one.
    Among the compromised npm packages are those from cybersecurity experts CrowdStrike, as well as others with millions of weekly downloads.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    CrowdStrike, on its end, did what it could to mitigate the risk and minimize the damage.
    “After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” a CrowdStrike spokesperson said, The Register reports.
    “These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”
    At the moment the number of packages affected by the attack sits at 187, the researchers warned that the number will most likely continue to rise. Some potentially compromised packages are currently pending validation.
    Via The Register
    You might also like

    Vicious malware found in Android apps with over 19 million installs – here’s how to stay safe
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    Compromised files replace npm packages with a combined 2 billion weekly downloads

    NPM packages from Nx targeted in latest worrying software supply chain attack

    Npm package with millions of downloads is at risk from malware hijacking

    More popular npm packages hijacked to spread malware

    North Korean hackers release malware-ridden packages into npm registry

    GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

    Latest in Security

    Google dismantles huge Android ad fraud network distributing malware through 224 apps

    New Phoenix RowHammer attack cracks open DDR5 memory defenses in minutes

    Former FinWise employee may have stolen sensitive data on 689,000 American First Finance customers

    The countdown is on – Chinese firms now have just an hour to report cybersecurity incidents

    North Korean hackers generate fake South Korean military ID using ChatGPT

    Bags of info stolen from multiple top luxury brands – double check your data now

    Latest in News

    Rumored Assassin’s Creed Black Flag Remake will reportedly ditch a major feature of the original game – and some fans aren’t happy

    Skate Early Access missions not showing bug – how to fix ‘all missions completed’ error

    Brits are better than Americans at spotting phishing scams, NordVPN study shows

    The Garmin Instinct Crossover AMOLED looks like a Casio G-Shock with added smarts, and I can’t wait to wear it

    Devialet launches new upgraded Phantom Ultimate speaker with ‘Heart Bass Implosion’ tech, which sounds as exciting as it does terrifying

    Finally! Here’s exactly when One UI 8 will likely come to your older Galaxy phone or tablet

    LATEST ARTICLES

    The Summer I Turned Pretty season 3 ending explained – who does Belly choose, is there a season 4, and more

    Rumored Assassin’s Creed Black Flag Remake will reportedly ditch a major feature of the original game – and some fans aren’t happy

    Is the iPhone 17 Pro really the fastest phone? I’ve reviewed today’s top phones, and here’s what lab tests tell me about Apple’s claim

    Hurry! This Dell laptop deal now costs just $330, a saving of $70, and its CPU is faster than anything I’ve seen at this price point

    I love my Nintendo Switch 2, but I can’t get over this one issue – and it’s nothing to do with battery life

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like