Shai-Hulud: Largest npm Supply-Chain Compromise Affecting CrowdStrike and Hundreds of Packages

chha

8mo ago· 6 min readenNews

85/100

Golden Brown

Bagelometer↗

Pulled from the oven just right. Trustworthy, fact-dense, deeply satisfying.

Score85TypenewsSentimentnegative

Summary

The Shai-Hulud malware campaign represents the largest and most dangerous npm supply-chain compromise in history, affecting hundreds of packages including popular libraries like @ctrl/tinycolor and packages maintained by CrowdStrike. Malicious versions contain a trojanized script (bundle.js) that steals developer credentials, exfiltrates secrets, and persists through automated workflows in repositories and endpoints. The attack is being tracked in real-time as additional compromised packages are identified.

Key quotes

· 4 pulled

We are tracking the largest and most dangerous npm supply-chain compromise in history

Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories

This includes popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike

The table below is continuously updated in real time as additional compromised packages are identified

Snippet from the RSS feed

We are tracking the largest and most dangerous npm supply-chain compromise in history, known as the Shai-Hulud malware campaign, which has now impacted hundreds of packages across multiple maintainers. This includes popular libraries such as @ctrl/tinycol

You might also wanna read

Microsoft uncovers supply chain attack: Compromised @antv npm packages steal CI/CD credentials via Mini Shai-Hulud malware

Microsoft has identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv mainta

microsoft.com·1d ago

Microsoft uncovers npm supply chain attack stealing cloud and CI/CD credentials via typosquatted packages

Microsoft identified an active supply chain attack (Mini Shai-Hulud campaign) targeting the npm package ecosystem. On May 28, 2026, a threat

microsoft.com·3d ago

September 2025 NPM supply-chain attack compromises popular JavaScript packages

In September 2025, a coordinated software supply-chain attack targeted multiple popular NPM packages in the JavaScript ecosystem. The attack

projectptixiakis.github.io·4d ago

176 malicious npm packages used dependency confusion to target internal dependencies and steal credentials

Sonatype researchers uncovered a campaign involving 176 malicious npm packages using a dependency confusion attack strategy. Attackers publi

sonatype.com·3d ago

Microsoft detects 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries

A threat actor using the alias vpmdhaj published 14 malicious npm packages within four hours, impersonating legitimate OpenSearch, Elasticse

theregister.com·1d ago

Microsoft detects 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries

A threat actor using the alias vpmdhaj published 14 malicious npm packages within four hours, impersonating legitimate OpenSearch, Elasticse

theregister.com·1d ago

Attacker publishes 14 malicious npm packages impersonating OpenSearch and Elasticsearch libraries

A single npm user published 14 malicious packages over four hours, impersonating popular OpenSearch, Elasticsearch, DevOps, and environment-

briefly.co·2d ago