shai-hulud
Safeguard articles tagged "shai-hulud" — guides, analysis, and best practices for software supply chain and application security.
9 articles
Lessons from Shai-Hulud: The First Self-Propagating npm Worm
In September 2025, npm faced a supply chain attack that spread by itself — stealing developers' tokens, then using them to trojanize the victims' own packages. Here is how it worked.
The Shai-Hulud npm worm campaign
A self-replicating npm worm hit 500+ packages in September 2025 and 796 more in November — here's how Shai-Hulud actually spread, stole secrets, and what stops it.
SHA1-Hulud second-wave npm supply chain incident
Shai-Hulud's November 2025 second wave hit npm via a Bun-based worm, stealing cloud creds and re-publishing trojanized packages at scale.
Mini Shai-Hulud AntV npm packages compromise
A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.
IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain
IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.
How npm's Takedown Response Time Compressed from Days to Hours During the 2025 Shai-Hulud Waves
AWS measured the September 8 chalk/debug compromise being removed within 2.5 hours and Shai-Hulud 2.0 in November within 12 hours. Here is how the registry-side response workflow operates and how to consume the signal.
The Shai-Hulud npm Supply Chain Attack Explained
How the Shai-Hulud worm turned compromised npm maintainer tokens into a self-replicating supply chain attack, and how to detect and remediate it.
npm Mandatory 2FA for Publishing: How the November 2025 Rollout Hardened the Registry
After the Shai-Hulud worm compromised more than 500 npm packages in September 2025, GitHub published a revised timeline forcing FIDO 2FA, 90-day token caps, and disabled token publishing by default. Here is the defender view.
Shai-Hulud: The Self-Replicating npm Worm That Hit 500+ Packages
On September 15, 2025, a self-replicating npm worm dubbed Shai-Hulud backdoored more than 500 packages, including @ctrl/tinycolor and CrowdStrike libraries, by pivoting through stolen publish tokens.