GitHub moves to tighten npm security amid phishing, malware plague

stapp · Sep 23, 2025

GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.
September has been a bad month for npm with phishing attacks on package maintainers and hundreds of packages infected by secret-stealing malware.
GitHub security lab lead Xavier René-Corail said that more than 500 compromised packages have been removed and others blocked from upload by security scanning.
Click to expand...

https://www.theregister.com/2025/09/23/github_npm_registry_security/

ronjor · Sep 23, 2025

Widespread Supply Chain Compromise Impacting npm Ecosystem

Release Date September 23, 2025
CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.
Click to expand...

stapp · Nov 24, 2025 at 9:22 AM

Shai-Hulud worm returns, belches secrets to 25K GitHub repos

A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days.
The affected packages include those provided by Zapier, AsyncAPI, ENS Domains, PostHog, and Postman, several of which have thousands of weekly downloads.
Click to expand...

https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/

List of infected packages so far:-
https://socket.dev/blog/shai-hulud-strikes-again-v2

EASTER · Nov 24, 2025 at 11:59 AM

https://socket.dev/blog/shai-hulud-strikes-again-v2

C2 Discovery via GitHub Search#
Before executing its main payload, the malware attempts self-healing by searching public GitHub repositories for the beacon phrase:

"Sha1-Hulud: The Second Coming."

If found, it:

Reads a stored file containing a GitHub access token

Decodes it through three layers: base64 → base64 → base64

Uses the recovered token as its primary credential for exfiltration

This makes the malware self-healing—if a victim deletes previous malicious repositories, the attacker can re-seed victims through GitHub search. The beacon phrase also serves as a campaign signature for tracking infected repositories.
Click to expand...

Log in or Sign up

GitHub moves to tighten npm security amid phishing, malware plague

stapp Global Moderator

ronjor Global Moderator

stapp Global Moderator

EASTER Registered Member

Log in or Sign up

GitHub moves to tighten npm security amid phishing, malware plague

stapp Global Moderator

ronjor Global Moderator

stapp Global Moderator

EASTER Registered Member

Useful Searches