New npm Worm Shai-Hulud Compromises 600+ Packages, Steals Dev Secrets

Researchers say a new worm called Shai-Hulud has compromised over 600 npm packages. The worm spreads by stealing developer credentials through phishing and then publishing infected packages that steal secrets like tokens and keys. It appears the worm can run before scanners check the code, making it hard to detect. Experts suggest using strong authentication, short-lived credentials, and careful control of new packages to reduce risks. Reports suggest these attacks are getting more common because once one maintainer is compromised, many users can be affected.

A sophisticated npm worm named Shai-Hulud has compromised over 600 packages in a significant supply chain attack, security researchers report. This self-replicating worm spreads by stealing developer credentials to publish malicious package updates that siphon secrets upon installation, expanding a campaign first identified in 2025.

This incident highlights the speed at which malware can propagate through trusted software ecosystems and underscores the critical need for continuous vigilance in development pipelines.

How the worm spreads

The Shai-Hulud npm worm is a self-propagating malware that infects the software supply chain. It spreads by using stolen developer credentials to publish malicious versions of legitimate packages. These versions contain scripts that execute before security scanners can run, stealing sensitive secrets from developer machines and CI/CD environments.

The infection vector begins with a phishing campaign where attackers pose as npm security staff to steal maintainer credentials, according to a Unit 42 analysis. The compromised accounts are then used to publish infected packages. Per a Trend Micro report, these packages contain malicious pre-install scripts that harvest cloud tokens and API keys using tools like TruffleHog before uploading them to public repositories.

Researchers have identified four primary stages in the attack lifecycle:

Account takeover via phishing or credential reuse.
Malicious code execution during npm install or CI/CD builds.
Credential harvesting from developer environments and CI runners.
Automated propagation by publishing more poisoned packages and injecting malicious GitHub Actions workflows.

Unit 42 estimates the 2025-2026 family has affected "tens of thousands" of repositories. A related variant, "Mini Shai-Hulud," reportedly compromised TanStack in May 2026 and reached two corporate devices, though OpenAI confirmed no user data was exposed.

Immediate risks for organisations

Because the worm executes in the pre-install phase, it can run before static analysis tools can inspect the package code. This stealthy execution explains why multiple organizations were forced to rotate credentials and isolate build agents. The malware reportedly includes a destructive fallback routine capable of erasing a user's home directory if its propagation fails.

Secrets most at risk from this attack include:

npm access tokens.
GitHub personal access tokens and Actions secrets.
Cloud provider keys retrieved from metadata services.

Compromised tokens allow the worm to publish additional malicious versions or access private source code, dramatically amplifying its downstream impact.

Defensive steps recommended in 2026 guidance

To counter this threat, security experts recommend adopting a layered defense to block initial compromise and prevent lateral movement. Key mitigation strategies include:

Enforce strong multi-factor authentication, such as WebAuthn or FIDO2, for all package publishing actions, as outlined in the GitHub supply-chain plan.
Replace long-lived tokens in CI/CD with short-lived, job-specific credentials using Trusted Publishing (OIDC).
Commit package-lock.json and use npm ci in build pipelines to guarantee dependency integrity and prevent unexpected updates.
Quarantine newly published package versions for 24-72 hours by setting npm config set min-release-age.
Disable lifecycle scripts in automated builds by default with the --ignore-scripts flag unless a specific script is required.

These measures significantly reduce the risk of a malicious package executing in critical environments and limit the potential data exposure during an incident.

Why the scale keeps growing

The rising scale of this threat aligns with industry trends, which saw supply-chain attacks double in 2024 and open-source malware grow 73% through 2025. The Shai-Hulud worm thrives by exploiting the trust inherent in open-source ecosystems; compromising a single trusted maintainer exposes every downstream user to the same risk.

Until comprehensive package signing and provenance verification become standard, robust identity controls for publishing and strict dependency hygiene are the most effective defenses available to organizations.