Shai-Hulud: self-replicating npm worm (September 2025)
criticalpervasive
confirmed·submitted May 27, 2026·supply-chainnpmwormself-replicatingcredential-theft
The first self-replicating worm on npm. Beginning around September 15, 2025 with @ctrl/tinycolor, the malware ran a postinstall script that harvested developer and CI secrets (npm, GitHub, and cloud AWS/GCP/Azure tokens via TruffleHog), exfiltrated them to attacker-controlled public GitHub repositories, and used any stolen npm token to automatically publish trojanized versions of every other package that maintainer owned — propagating itself. Over 500 packages across many maintainers were compromised, including CrowdStrike-published packages. Remediation: rotate all developer/CI credentials, pin to known-clean versions, and audit GitHub for unexpected repos and workflow files.
Affected packages
58 packages- npm@crowdstrike/commitlint
8.1.18.1.2 - npmencounter-playground
0.0.20.0.30.0.40.0.5 - npm@crowdstrike/foundry-js
0.19.10.19.2 - npm@crowdstrike/glide-core
0.34.20.34.3 - npm@crowdstrike/logscale-dashboard
1.205.11.205.2 - npm@crowdstrike/logscale-file-editor
1.205.11.205.2 - npm@crowdstrike/logscale-parser-edit
1.205.11.205.2 - npm@crowdstrike/logscale-search
1.205.11.205.2 - npm@crowdstrike/tailwind-toucan-base
5.0.15.0.2 - npm@ctrl/deluge
7.2.17.2.2 - npm@ctrl/golang-template
1.4.21.4.3 - npm@ctrl/magnet-link
4.0.34.0.4 - npm@ctrl/ngx-codemirror
7.0.17.0.2 - npm@ctrl/ngx-csv
6.0.16.0.2 - npm@ctrl/ngx-emoji-mart
9.2.19.2.2 - npm@crowdstrike/falcon-shoelace
0.4.10.4.2 - npm@ctrl/qbittorrent
9.7.19.7.2 - npm@ctrl/react-adsense
2.0.12.0.2 - npm@ctrl/shared-torrent
6.3.16.3.2 - npm@ctrl/tinycolor
4.1.14.1.2 - npm@ctrl/torrent-file
4.1.14.1.2 - npm@ctrl/transmission
7.3.1 - npm@ctrl/ts-base32
4.0.14.0.2 - npm@nativescript-community/arraybuffers
1.1.61.1.71.1.8 - npm@nativescript-community/gesturehandler
2.0.35 - npm@nativescript-community/perms
3.0.53.0.63.0.73.0.8 - npm@nativescript-community/sentry
4.6.43 - npm@nativescript-community/sqlite
3.5.23.5.33.5.43.5.5 - npm@nativescript-community/text
1.6.91.6.101.6.111.6.121.6.13 - npm@nativescript-community/typeorm
0.2.300.2.310.2.320.2.33 - npm@nativescript-community/ui-collectionview
6.0.6 - npm@nativescript-community/ui-document-picker
1.1.271.1.28 - npm@nativescript-community/ui-drawer
0.1.30 - npm@nativescript-community/ui-image
4.5.6 - npm@nativescript-community/ui-label
1.3.351.3.361.3.37 - npm@nativescript-community/ui-material-bottom-navigation
7.2.727.2.737.2.747.2.75 - npm@nativescript-community/ui-material-bottomsheet
7.2.72 - npm@nativescript-community/ui-material-core
7.2.727.2.737.2.747.2.757.2.76 - npm@nativescript-community/ui-material-core-tabs
7.2.727.2.737.2.747.2.757.2.76 - npm@nativescript-community/ui-material-ripple
7.2.727.2.737.2.747.2.75 - npm@nativescript-community/ui-material-tabs
7.2.727.2.737.2.747.2.75 - npm@nativescript-community/ui-pager
14.1.3614.1.3714.1.38 - npm@nativescript-community/ui-pulltorefresh
2.5.42.5.52.5.62.5.7 - npmangulartics2
14.1.114.1.2 - npmts-gaussian
3.0.53.0.6 - npmjson-rules-engine-simplified
0.2.10.2.4 - npmkoa2-swagger-ui
5.11.15.11.2 - npmngx-bootstrap
18.1.419.0.319.0.420.0.320.0.420.0.5 - npmngx-color
10.0.110.0.2 - npmngx-toastr
19.0.119.0.2 - npmngx-trend
8.0.1 - npmreact-complaint-image
0.0.320.0.35 - npmreact-jsonschema-form-extras
1.0.4 - npmrxnt-authentication
0.0.30.0.40.0.50.0.6 - npmrxnt-healthchecks-nestjs
1.0.21.0.31.0.41.0.5 - npmrxnt-kue
1.0.41.0.51.0.61.0.7 - npmswc-plugin-component-annotate
1.9.11.9.2 - npm@ctrl/ngx-rightclick
4.0.14.0.2