The malware attack on the npm repository, which distributes open-source packages for the widely used programming language JavaScript, is far more severe than feared: A malware worm introduced into the system has now infected over 180 software packages.
At least 180 open-source packages distributed via the npm repository for the JavaScript programming language are infected by a self-replicating worm. The malware steals credentials and identifies repositories of other open-source packages, infiltrating them and further spreading throughout the npm ecosystem.
Cybersecurity experts have identified a new wave of malware being distributed through the npm package registry. Although the malware being spread this time is of a different nature, it is believed to stem from the same attack on the repository discovered last week, which distributes open-source software packages for the JavaScript programming language.
"The compromised versions contain a function (NpmModule.updatePackage) that downloads a package tarball, modifies the package.json file, inserts a local script (bundle.js), repacks the archive, and republishes it, enabling an automatic trojanization of downstream packages," states a blog post by Socket, which also highlighted the first malware attack. Such self-replicating malware, also known as a worm, can rapidly spread further through the infected repository.
Other security researchers have also consistently reported on the malware. Unlike last week’s attack, however, the worm does not deploy hidden cryptocurrency mining software but is potentially much more dangerous: it specifically targets and exfiltrates sensitive credentials from infected systems. The worm is spreading rapidly: while initial reports mentioned 40 affected packages, the majority now believe over 180 packages have been compromised; some estimates fear it could already be over 500..
Operation of the Malware
The Software Supply Chain Worm, which automatically replicates itself via dependent packages, operates as follows: malicious code is executed when compromised packages are installed. On the infected system, the injected malware scans local systems for secret tokens (e.g., GITHUB_TOKEN, AWS_ACCESS_KEY_ID) and exfiltrates them via webhooks to external servers. The attack affects both Windows and Linux systems.
Subsequently, a file named bundle.js injected into the infected packages uses legitimate tools like TruffleHog to locate credentials for other packages distributed via the npm repository. GitHub repositories are then created or modified, workflows are injected, and new compromised versions of other packages are automatically published – including malicious code. Further insights into the malware's operation are provided by the StepSecurity blog.
The attackers use the repository "Shai-Hulud," named after the legendary sandworms from the science fiction epic Dune. The name is more than just a pop culture reference – the analogy to a worm burrowing through the ecosystem and spreading uncontrollably fits alarmingly well.
Among the affected packages are those from the @ctrl ecosystem, the NativeScript community, as well as numerous projects related to CrowdStrike. Particularly concerning: Some of these packages, such as @ctrl/tinycolor, achieve millions of downloads weekly.
Connection to the Recent Attack Seems Likely
According to ReversingLabs, the attack likely began with the package rxnt-authentication, which was published on September 14. The associated account, techsupportrxnt, is currently considered "Patient Zero." It remains unclear exactly how the account was compromised – phishing or a faulty GitHub workflow configuration are considered possible causes.
CrowdStrike responded immediately and removed the affected packages from the registry. According to their own statement, the platform itself was not affected. Internal keys have been rotated, and a thorough investigation is underway in collaboration with the npm team.
The impact of the campaign is far-reaching: An analysis of the stolen data, according to GitGuardian, has already revealed at least 278 compromised secrets, including 188 that were leaked directly through manipulated GitHub workflows. Security researchers are calling it a "cascade compromise" of the npm ecosystem.
Developers are strongly advised to check their environments for affected package versions, immediately rotate tokens and credentials, and review all build processes. Projects that perform automatic deployments and publishing without adequately isolating secrets are particularly at risk.
Security Researchers Urge Greater Awareness in the Use of Open-Source Packages
In the long term, the incident once again raises the question of the resilience of open-source infrastructures. The close integration of developer accounts, CI/CD pipelines, and package managers requires not only technological protective measures but also a higher level of awareness – particularly in professional DevOps and security teams.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
The following packages have been clearly identified as compromised by Socket:
:quality(80)/p7i.vogel.de/wcms/72/a0/72a0ffc94f0929c8b193b4bc40638d72/0129755066v1.jpeg "Tens of billions less! After Ford and General Motors, Stellantis is now also feeling the painful consequences of Donald Trump's decision to change its electric car strategy ... (Image:Stellantis)")
:quality(80)/p7i.vogel.de/wcms/7f/fd/7ffd32863352c40f562f4245e4766e61/0129745849v1.jpeg "After US President Donald Trump once again resorted to his favorite weapon, tariffs, concerns rose in the EU that the so-called tariff deal could become invalid. But it looks as if the sea remains relatively calm ... (Image:F. Schneidler)")
:quality(80)/p7i.vogel.de/wcms/53/69/5369bed136061188d873441dfefd6d6e/0129245111v1.jpeg "The company revised the factory layout even though construction work had already begun. (Image:Efeso Management Consultants)")
:quality(80)/p7i.vogel.de/wcms/d2/d7/d2d79e3fb84663cb7e918c88f123989b/0129733908v1.jpeg "Mineral decision! This is how lithium is mined. There is a lot of it in Chile, Australia, Bolivia and also in Zimbabwe. However, the latter country has now announced that the export of all minerals, including lithium concentrate, will be stopped. Read more about the reasons here ... (Image:Largbatt)")
:quality(80)/p7i.vogel.de/wcms/d9/bd/d9bd1bfa7d02f586e092f06c61ee3d9a/0129464423v1.jpeg "This is what the Black Soldier Fly (BSF) looks like. The first impression is of a common two-winged insect. But appearances are deceptive, because its larvae are true protein reactors, whose industriousness is now to be exploited for food ... (Image:Fly Friends)")
:quality(80)/p7i.vogel.de/wcms/13/4d/134dee0c2b8af6b4f28937ca5b586e0d/0129499541v1.jpeg "The industry now needs to build a flexible, powerful and sovereign infrastructure that can exploit the full potential of artificial intelligence while guaranteeing control over data and processes. (Picture: ©Gorodenkoff - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/c6/71/c671ce338f12be49d39d1b04b40a54f7/0129697443v1.jpeg "Claas is working on making its combine harvesters fit for refurbishment. (Image:Claas)")
:quality(80)/p7i.vogel.de/wcms/f2/4b/f24b8f1c3070e7f13e4f0ffd7854e75a/0129653538v1.jpeg "The production of the BMW iX3 is to be taken as far as possible in terms of sustainability. This is also ensured by the climate-friendly Blueprint recycled steel from Thyssenkrupp Steel ... (Image:BMW)")
:quality(80)/p7i.vogel.de/wcms/f5/7e/f57ef535ee35e7b3b7ff15a8a63cef10/eds-keyvisual-8000x4496v1.jpeg "(Source: European Defence Supply)")
:quality(80)/p7i.vogel.de/wcms/af/a3/afa312176d956068af20491957eef642/newsimage418262-3100x1745v1v1.jpeg "The autonomous shuttle of the Aula AI project during a demonstration of sensor data with artificial fog. (Image:University of Magdeburg)")
:quality(80)/p7i.vogel.de/wcms/84/2d/842d51915fa4fe69c72da5cc4ba52ed1/newsimage418103-3408x1917v1v1.jpeg "3 Printing can also be sustainable—if recyclable ink is used. (Image:Hereon/Steffen Niemann)")
:quality(80)/p7i.vogel.de/wcms/b0/78/b078e07634ffd4d5ee6b73af42cc7c55/newsimage418259-1000x563v1v1.jpeg "Magnesium during forming. (Image:TU Bergakademie Freiberg)")
:quality(80)/p7i.vogel.de/wcms/c7/5e/c75e5942cd1d7e6bce973391af6dafe8/0129757614v1.jpeg "Pony.ai is cooperating with Moore Threads to bring Level 4 autonomous driving to the roads in China more quickly. (Image:Pony.ai)")
:quality(80)/p7i.vogel.de/wcms/a8/9f/a89ff7a3e28a19c03a22fd16cf3404b4/0129761837v1.jpeg "KD and Hitachi High-Tech have concluded a distribution agreement. (Image:KD)")
:quality(80)/p7i.vogel.de/wcms/29/b5/29b536a22d9b5ac80387b02620cce554/20260212-sue-60-6000x3372v1v1.jpeg "The People Mover at its world premiere. The large polycarbonate windshield is clearly visible. One of several materials contributed by Covestro. (Image:UE | STUDIOS)")
:quality(80)/p7i.vogel.de/wcms/a0/3e/a03e71cec3a956df095607a0b176a7b0/0129584071v1.jpeg "Andreas Mindt will be Head of Design at the Volkswagen Group from March. (Image:Volkswagen AG)")
:quality(80)/p7i.vogel.de/wcms/eb/4e/eb4e449562174ec95a5b3d30fb0137a2/0129648135v1.jpeg "The III-V germanium PV module with an efficiency of 34.2% is currently the most efficient solar module in the world. (Image:Jacob Forster)")
:quality(80)/p7i.vogel.de/wcms/92/c2/92c23fd5d95286c8c8c634314f6b22f8/0129722027v1.jpeg "The Meta Group has signed a five-year contract for GPU and CPU deliveries to expand its AI capacities. The agreement covers the delivery of up to 6 gigawatts of GPU computing power with a total value of around USD 60 billion. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/01/77/017742db7d5eb5964c297bb8917df701/0129696639v1.jpeg "Mini-STX K3921-N: The motherboard masters Intel's Core i3 and N-Series processors and can connect multiple monitors with Full HD. (Image:Kontron)")
:quality(80)/p7i.vogel.de/wcms/17/21/1721b98b7580a86c7790f607395878a1/0129697493v1.jpeg "Universal: Motors are used everywhere. (Image:Microchip Technology)")
:fill(fff,0)/images.vogel.de/vogelonline/companyimg/76800/76895/65.jpg "FAULHABER_120mm.jpg ()")
:fill(fff,0)/p7i.vogel.de/companies/68/a4/68a47beec75ce/logo-cmyk-de.jpeg "logo-cmyk-de (https://www.datatec.eu/)"){kind=logo}
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/5d/5c/5d5cad46ecbfea69c8b33701a5e66300/0126664093v1.jpeg "A successful phishing attack has shaken the JavaScript ecosystem. Malware made its way into at least 18 open-source packages distributed via npm, which collectively reach over two million downloads weekly. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/18/67/1867c6099923602779224387f17ab578/0128150590v1.jpeg "The new variant of the Shai Hulud worm, which is now infesting the npm repository, has already captured over 27,000 records of access data. (Image:freely licensed)")