A large-scale supply chain attack dubbed \u201cShai-Halud\u201d that infiltrated the JavaScript ecosystem via the npm registry.\u00a0<\/p>\n
In total, 477 packages, including packages from CrowdStrike<\/a><\/span>, were found to contain stealthy backdoors and trojanized modules designed to siphon credentials, exfiltrate source code, and enable\u00a0remote code execution (RCE)\u00a0on developer machines.<\/p>\n The adversary\u2019s campaign began in early August 2025, when compromised maintainer accounts were used to publish malicious updates under minor version bumps (e.g., from 1.2.3 to 1.2.4).\u00a0<\/p>\n Each update injected a small, obfuscated payload within the module entry file (typically index.js). This loader reached out to a command-and-control (C2)<\/a> server to fetch a second-stage payload.\u00a0<\/p>\n Socket reports that the payload searched project directories for .env files, SSH private keys (id_rsa), and Git credentials stored in .git\/config, then transmitted them in encrypted form back to the attacker\u2019s infrastructure.<\/p>\n Packages compromised<\/p>\n Shai-Halud\u2019s<\/a> use of version-range hijacking allowed attackers to maintain persistence: downstream projects specifying dependencies with loose semver ranges (e.g., \u201c^1.2.0\u201d) automatically pulled in the trojanized release.\u00a0<\/p>\n Many high-profile libraries, ranging from development tools and CLI utilities to UI component frameworks, were affected, amplifying the blast radius. Detection strategies include:<\/p>\n Integrate tools like npm audit, Snyk, or OWASP<\/a> Dependency-Check into CI pipelines to flag anomalous version releases.<\/p>\n Validate package integrity against known good SHA-256 hashes via npm ci \u2013prefer-offline \u2013hash-checksums. Employ runtime monitoring (e.g., Sysmon on Windows, auditd on Linux) to detect unexpected network calls or use of eval().<\/p>\n As open-source ecosystems remain a prime target, securing the software supply chain<\/a> through rigorous validation and continuous monitoring is more critical than ever.<\/p>\n The post Massive \u201cShai-Halud\u201d Supply Chain Attack Compromised 477 NPM Packages<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/strong>
1. Obfuscated backdoors hit 477 npm packages via minor version updates.
2. Payload harvested and exfiltrated credentials to a C2 server.
3. Fix by pinning versions, supply-chain scanning, checksum checks, and rotating secrets.<\/pre>\nShai-Halud Supply Chain Attack<\/strong><\/h2>\n
![\"Packages](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-95.png?resize=999%2C633&ssl=1\")
<\/figure>\n<\/div>\nMitigations\u00a0<\/strong><\/h2>\n
\n
Free live\u00a0webinar\u00a0on new malware tactics from our analysts! Learn advanced detection techniques ->\u00a0Register for Free<\/a><\/code><\/strong><\/p>\n