Widespread npm Ecosystem Compromise
The Widespread npm Ecosystem Compromise, which began around September 8, 2025, was a multi-phased incident. The initial phase involved a phishing campaign that compromised maintainer accounts, leading to the injection of a cryptocurrency-stealing payload into dozens of popular packages (like chalk and debug). This was quickly followed by the discovery of the “Shai-Hulud” worm campaign, which used a self-propagating credential-stealing malware to compromise over 500 npm packages.
Impact
The compromise resulted in a widespread infection across the npm ecosystem, affecting hundreds of packages and potentially thousands of downstream applications that automatically pulled malicious versions. The injected payloads enabled credential theft, unauthorized command execution, and persistent access within both developer and CI/CD environments.
Type of Compromise
The npm ecosystem is a Malicious Maintainer type of attack as the attackers managed to gain control of npm maintainer accounts and used their privileges to push malicious versions of legitimate packages.
References
- Breakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk
- Ongoing Supply Chain Attack Involving npm Packages
- Shai-hulud supply chain attack spreads token-stealing malware on npm
- npm Chalk and Debug Packages Hit in Software Supply Chain Attack
- Another npm Supply Chain Attack: The ‘is’ Package Compromise
- “Shai-Hulud” Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 23)
- “Massive npm infection: the Shai-Hulud worm and patient zero”
- What We Know About the NPM Supply Chain Attack
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.