On September 16th, CrowdStrike, a global cybersecurity leader, was affected by a supply chain attack. The scale of this incident is significant. The malware steals secrets and publishes them publicly on GitHub. It also attempts to create new GitHub Actions with a data exfiltration mechanism, while iterating through the repositories that users can access and making them public.

What Products Are Affected?

The primary impact has been on NPM (Node Package Manager) packets. Since this attack is ongoing, estimates suggest that around 180 packets have been compromised so far.

These malicious packets gather stolen credentials and publish them to a new public GitHub repository under the name Shai-Hulud—the name currently being used to refer to this malware.

How Does It Work?

The defining feature of this attack is its worm-like behavior. Instead of relying on a single infected package, it self-replicates:

1. Fetches an existing package version from the NPM registry
2. Modifies the package.json file
3. Injects a local script
4. Repackages the archive
5. Re-publishes itself into other NPM packages

Think of it like the replication mechanism of the flu:

• You get sick.
• You go to the pharmacy (the NPM registry) and grab a new, clean box of tissues (an NPM package).
• You scribble a hidden note on the inside flap of the tissue box (modify the package.json).
• You slip in a hidden, infected cough drop (inject a local script).
• You close the box so it looks untouched (repackaging).
• Then you put the infected box back on the shelf for others to pick up (re-publishing).

Is There a Mitigation Patch or Update?

Since this is still unfolding, the full scope of the attack will take time to assess, and infected versions need to be identified and removed from the registry.

In the meantime, organizations can reduce exposure by:

• Ensuring NPM applications use lockfiles pinned to known-good versions
• Cleaning caches on developer systems and internal registries
• Using cooldown options (when available) to delay upgrades to versions published in the last few days

Think You've Been Exposed?

The specifics of this incident remain under investigation, but it resembles a compromise from late August in which an NPM developer’s account was abused to insert malware into nx, an open-source code development toolkit.

That earlier malware had the same objective—stealing and disclosing credentials and keys—but it did not self-propagate.

This highlights an important point: Many successful attacks don’t rely on highly advanced techniques. Instead, they exploit simple mistakes, misconfigurations, or gaps in routine security testing.

If you believe your organization may be at risk of a similar event, it’s critical to perform a security assessment to confirm. Red Sentry’s team of professionals can conduct penetration testing across your environments to help identify and address vulnerabilities before they are exploited.