“Shai-Hulud” Worm Compromises npm Ecosystem in Supply Chain Attack unit42.paloaltonetworks.com/npm-suppl…

Palo Alto Networks Unit 42 is investigating an active and widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem. A novel, self-replicating worm, which is currently being tracked as “Shai-Hulud,” is responsible for the compromise of over 180 software packages.

This attack represents a significant evolution in supply chain threats, leveraging automated propagation to achieve scale. Unit 42 also assesses with moderate confidence that an LLM was used to generate the malicious bash script, based on inclusion of comments and emojis.

The attack may originate from a credential-harvesting phishing campaign spoofing npm and asking developers to “update” their multi-factor authentication (MFA) login options. Once initial access was gained, the threat actor deployed a malicious payload that functions as a worm, initiating a multi-stage attack sequence. Based on the inclusion of comments and emojis in the bash script, Unit 42 assesses with moderate confidence the threat actor leveraged LLM to assist in writing the malicious code.