CISA Warns of ‘Shai-Hulud’ npm Worm: Review Dependencies, Rotate Developer Secrets

CISA issued an alert urging organizations to perform immediate due diligence on any software that depends on the npm ecosystem after a self-replicating supply-chain worm, dubbed “Shai-Hulud,” compromised more than 500 packages on npmjs[.]com. According to CISA, once the actors obtained a foothold, the malware harvested secrets from developer workstations and build environments, including GitHub Personal Access Tokens and API keys for major cloud providers, then exfiltrated those credentials to attacker-controlled infrastructure and a public GitHub repository before using them to propagate. The worm authenticated to npm as the compromised maintainer, injected malicious code, and rapidly published tainted versions to the registry, turning downstream consumers into additional distribution points. CISA’s guidance emphasizes software composition hygiene and detection coverage: review all npm dependencies (including transitive ones) using lock files (e.g., “package-lock.json,” “yarn.lock”), search artifact repositories for cached copies of affected versions, and pin to known-good releases produced before September 16, 2025. The agency also recommends rotating all developer credentials, enforcing phishing-resistant MFA on developer platforms, monitoring for anomalous egress, blocking connections to “webhook[.]site” domains observed in the activity, and hardening repository security by pruning unneeded GitHub Apps/OAuth grants, auditing webhooks and secrets, and enabling branch protection, secret-scanning alerts, and automated dependency security updates.

GitHub responders were notified on September 14 and traced the intrusion to a compromised maintainer account before removing roughly 500 malicious packages from the registry and blocking uploads matching the campaign’s indicators to disrupt further replication. GitHub’s security leadership warned that the blend of self-replication and multi-platform secret theft could have enabled a long-running wave of follow-on attacks absent rapid takedowns, and researchers noted this is the first worm-like supply-chain incident to successfully spread within this ecosystem. Additional context reported by Recorded Future News’ The Record details why the event matters operationally: secrets stolen from developer environments can be used to impersonate services, access internal cloud resources, and tamper with code, and the worm’s auto-propagation means a single compromise can cascade through dependency chains. In practical terms, CISA urges organizations to treat this as both an incident response and hardening exercise: immediately rotate tokens and keys tied to development, CI/CD, and cloud accounts; expand logging and egress monitoring for developer and build networks; and re-verify provenance for any packages built or published during the at-risk window.