The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity advisory warning developers and organizations about an ongoing software supply chain attack targeting the Node Package Manager (npm) ecosystem. The attack, driven by a self-replicating worm called Shai-Hulud, has already compromised over 500 npm packages, posing a significant threat to companies using JavaScript and Node.js frameworks across sectors such as IT, fintech, startups, and e-Governance platforms.⸻
Nature of the attack
According to the advisory (CIAD-2025-0034) issued on September 25, 2025, the Shai-Hulud campaign leverages phishing emails impersonating npm to steal developer credentials under the guise of “MFA update” prompts. Once credentials are compromised, attackers deploy malware designed to harvest authentication tokens and cloud service keys. The malicious code is embedded in npm packages through the post-installation (“postinstall”) script, enabling automatic credential theft and further spread of infected code.
The malware primarily targets sensitive credentials such as npm tokens, GitHub Personal Access Tokens (PATs), and API keys associated with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. These credentials are exfiltrated to an attacker-controlled endpoint and uploaded to a public repository named Shai-Hulud on GitHub, from where the infection proliferates to other packages automatically.
Potential impact
The government advisory highlights that this attack can lead to unauthorized code execution, exposure of developer credentials, and large-scale supply chain compromise. Due to the automated propagation nature of Shai-Hulud, even organizations indirectly relying on npm-based software may face cascading risks, making it critical to review dependencies and network activity immediately.
Recommendations
CERT-In has advised all organizations using npm-based software to conduct dependency audits and check package-lock.json or yarn.lock files for signs of affected packages. Developers should rotate all credentials, enforce phishing-resistant multi-factor authentication (MFA), and remove unnecessary GitHub Apps and OAuth integrations. The agency also recommends monitoring for anomalous network traffic and blocking connections to suspicious domains like webhook.site.
In addition, organizations should check for unauthorized repositories named “Shai-Hulud,” unusual branches, or malicious GitHub workflow files within their accounts. Both npm and GitHub have removed malicious versions and announced new measures, including mandatory 2FA and trusted publishing, to strengthen ecosystem security.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
