Widespread npm Ecosystem Supply Chain Attack
The Widespread npm Supply Chain Attack, which began around September 8, 2025, was a multi-phased incident. The initial phase involved a phishing campaign that compromised maintainer accounts, leading to the injection of a cryptocurrency-stealing payload into dozens of popular packages (like chalk and debug). This was quickly followed by the discovery of the “Shai-Hulud” worm campaign, which used a self-propagating credential-stealing malware to compromise over 500 npm packages.
Impact
This compromise affected hundreds of packages and potentially thousands of downstream applications that automatically pulled the malicious versions. The injected payloads allowed for credential theft, unauthorized command execution, and persistent access in CI/CD environments. The incident exposed the fragility of transitive dependency trust and underscored the urgency of enforcing 2FA for maintainers, signed package publishing, and dependency integrity verification across the npm ecosystem.
Type of Compromise
The npm ecosystem is a Malicious Maintainer type of attack as the attackers managed to gain control of npm maintainer accounts and used their privileges to push malicious versions of legitimate packages.
References
- Breakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk
- Ongoing Supply Chain Attack Involving npm Packages
- Shai-hulud supply chain attack spreads token-stealing malware on npm
- npm Chalk and Debug Packages Hit in Software Supply Chain Attack
- Another npm Supply Chain Attack: The ‘is’ Package Compromise
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.