This article explains a large supply chain attack campaign on NPM packages dubbed the 'Shai-Hulud attack'. Between September 8th, 2025 and September 18th, 2025, a large supply chain attack campaign was discovered that targeted 500+ npm packages, including the widely used @ctrl/tinycolor, chalk, several @ctrl packages, several @crowdstrike packages, and many more. This attack ran a post-install script that gathered sensitive and secret data and exfiltrated the data to public GitHub repos named Shai-Hulud. The attack exhibited worm-like behavior, spreading the malicious post-install script to any NPM repo it was able to gain access to through its secret exfiltration process, eventually spreading to 500+ repos across the NPM ecosystem.
Scope
Affected Versions: Multiple versions and packages affected
Attack Vector: A post-install script within affected NPM packages
To mitigate this vulnerability, users of affected packages should immediately rotate all secrets and consider affected hosts compromised. Affected packages should be immediately removed.
Lacework FortiCNAPP automatically detects all affected packages via the Vulnerability Management module and then Code Security modules. FortiCNAPP also has support for detecting more than 18,000 packages affected by various supply-chain malware campaigns across several ecosystems.
