Shai-Hulud: The self-replicating NPM worm
How it works, why it matters, and how to defend
Europe: Wed 15th October 2025 - 10 AM GMT | 11 AM CET
North America: Thur 16th October - 10 AM PDT | 1 PM EDT
Shai-Hulud: The self-replicating NPM worm
On September 15–16, 2025, researchers observed a supply-chain campaign in the NPM ecosystem using self-replicating malware to spread across maintainers’ packages. After executing during postinstall, the worm conducts local discovery, hunts for GitHub/NPM/cloud credentials, drops a malicious GitHub Action to exfiltrate secrets (often via webhook[.]site), and republishes infected versions of all packages owned by a compromised maintainer — accelerating propagation to hundreds of packages.
What You’ll takeaway:
- How Shai-Hulud works — post-install execution (bundle.js), local discovery, credential theft, GitHub Action persistence, and automated NPM republishing.
- Why it’s a big deal — novel self-propagation within the NPM ecosystem; rapid spread to ~200 packages in the first 24 hours.
- How to detect it — runtime signals (e.g., suspicious bundle.js activity, trufflehog execution, outbound calls during install, unusual public repo creation) and detections available in Sysdig Secure and Falco.
- What to do now — inventory checks for affected packages, version pinning/rollback, credential rotation, blocking npm where needed, and GitHub hygiene.
Speakers:
- Alberto Pellitteri — Sysdig Threat Research
- Michael Clark — Sysdig Threat Research
Register for the webinar here
