Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Over 300 npm packages attacked by self-replicating worm – Serious security warning
The programming community was shocked when it was discovered that the tinycolor package – a hugely popular color manipulation library on npm (over 2 million downloads per week) – had been hacked, taking down over 40 other packages. However, the incident did not stop there: researchers at Socket have just announced that a self-propagating worm has infected over 300 npm packages.
How it spreads
The attackers inserted a malicious function called NpmModule.updatePackage into the compromised libraries. This function automates the entire infection process:
- Download the tarball of the target package.
- Edit the package.json file .
- Inject the malicious script bundle.js .
- Repackage it, then publish it to npm with the stolen token.
In addition, this worm also has the behavior of searching for environment variables such as NPM_TOKEN to get login information, from there continuing to spread to other packages maintained by the same account.
CrowdStrike was also affected.
According to Socket, CrowdStrike's npm account was also compromised, infecting many of its packages with malicious code. CrowdStrike has since removed the affected packages and changed all login credentials.
The campaign has been dubbed Shai-Hulud – inspired by the 'giant sandworm' from the science fiction novel Dune . The name comes from workflow files named shai-hulud.yaml in the malware.
The attack payload is considered quite sophisticated. It uses TruffleHog – a legitimate secret scanning tool – to find and validate credentials, before sending them to the attacker's server via webhook.
Some prominent infected packages include:
-
@ctrl/tinycolor
-
ngx-toastr
-
@crowdstrike/glide-core
-
angulartics2
-
eslint-config-crowdstrike
-
@nativescript-community/ui-collectionview
If affected, users need to Remove the malicious package immediately:
npm uninstall
Fix the secure version until a patch is available:
npm install
In addition, it is necessary to change all login information on the system because this worm is capable of stealing sensitive data, including: NPM tokens, GitHub Personal Access Tokens & Actions Secrets, SSH keys, Cloud login information (AWS, Google Cloud, Azure), API keys, database connection strings, secrets stored in AWS Secrets Manager and similar services.
Marvin FryTechnology story
What is AI Hallucination? What Causes AI Hallucination?- OpenAI Launches GPT-5-Codex: Upgrading Codex with Dynamic Thinking, Enabling More Powerful AI Programming
- iOS 26 Launches Today - 5 Things You Need to Do to Prepare Before Upgrading
- Qualcomm partners with BMW to launch Snapdragon Ride Pilot autonomous driving system
- Spotify Launches Lossless Hi-res Audio Plan
- YouTube rolls out multilingual video feature, supporting millions of creators
What is AI Hallucination? What Causes AI Hallucination?
OpenAI Launches GPT-5-Codex: Upgrading Codex with Dynamic Thinking, Enabling More Powerful AI Programming
iOS 26 Launches Today - 5 Things You Need to Do to Prepare Before Upgrading
Qualcomm partners with BMW to launch Snapdragon Ride Pilot autonomous driving system
Spotify Launches Lossless Hi-res Audio Plan
YouTube rolls out multilingual video feature, supporting millions of creators