In September 2025, the npm ecosystem experienced one of its most sophisticated supply chain attacks yet. More than forty widely used packages , including the popular @ctrl/tinycolor , were compromised and republished with malicious behaviour hidden inside postinstall hooks and obfuscated payloads.
The goal was simple and deeply concerning. Gain access to developer environments, harvest secrets, and create persistent footholds inside GitHub workflows. At a time when engineering teams increasingly depend on open source, this incident serves as a reminder of how fragile and far reaching modern supply chains can be.
Understanding attacks like this helps teams strengthen their own defences and detect compromise early. Platforms such as ScanDog support this by continuously analysing dependencies, validating CI workflows and surfacing malicious behaviour quickly.
What Made the Shai Hulud Supply Chain Attack So Advanced
This was not a simple version hijack. The attackers demonstrated a deep understanding of how published packages, GitHub workflows and developer credentials interact.
Initial compromise
Attackers gained access to the npm account of a well known maintainer and used it to publish new malicious versions across dozens of packages.
Malicious postinstall scripts
Each infected version included a postinstall command pointing to an obfuscated JavaScript bundle. Once executed, it performed reconnaissance and credential harvesting.
Widespread credential extraction
The payload attempted to collect environment variables, scrape secrets from local files and probe AWS, GCP and Azure metadata endpoints for cloud tokens.
Self propagation across the maintainer’s ecosystem
The malware attempted to publish further compromised versions of all packages owned by the affected maintainer, extending the reach of the attack automatically.
GitHub workflow injection for persistence
Using the harvested tokens, the attackers created a new branch named shai-hulud and added a rogue GitHub Actions workflow designed to exfiltrate repository secrets. This workflow remained active even after malicious packages were removed.
This persistence mechanism is what makes the attack especially dangerous. It sits silently inside the CI system, long after teams believe the threat has passed.
What Is at Risk
The blast radius of a supply chain attack like this is not limited to application code.
Potential exposures include
- GitHub Actions secrets and personal access tokens
- Cloud credentials including AWS, Azure and GCP keys
- Injected workflows that continue exfiltrating secrets
- Lateral movement into unrelated repos or accounts
- Malicious dependencies embedded inside build artefacts
Dependency attacks often create a cascading effect. A single malicious package can compromise entire CI systems and cloud environments.
Indicators of Compromise to Check Immediately
Security researchers have identified several consistent signs of compromise.
Repository artefacts
- A branch named
shai-hulud - A malicious workflow located at
.github/workflows/shai-hulud-workflow.yml - Unexpected workflow runs sending secrets externally
Dependency signals
- Presence of compromised package versions in lockfiles or SBOMs
- Force published versions with new postinstall scripts
If any of these indicators appear in your environment, treat the situation as an active incident.
Complete List of Compromised Packages
Dozens of libraries were affected. The following packages and versions were confirmed compromised:
angulartics2 - 14.1.2
@ctrl/deluge - 7.2.2
@ctrl/golang-template - 1.4.3
@ctrl/magnet-link - 4.0.4
@ctrl/ngx-codemirror - 7.0.2
@ctrl/ngx-csv - 6.0.2
@ctrl/ngx-emoji-mart - 9.2.2
@ctrl/ngx-rightclick - 4.0.2
@ctrl/qbittorrent - 9.7.2
@ctrl/react-adsense - 2.0.2
@ctrl/shared-torrent - 6.3.2
@ctrl/tinycolor - 4.1.1, 4.1.2
@ctrl/torrent-file - 4.1.2
@ctrl/transmission - 7.3.1
@ctrl/ts-base32 - 4.0.2
encounter-playground - 0.0.5
json-rules-engine-simplified - 0.2.4, 0.2.1
koa2-swagger-ui - 5.11.2, 5.11.1
@nativescript-community/gesturehandler - 2.0.35
@nativescript-community/sentry - 4.6.43
@nativescript-community/text - 1.6.13
@nativescript-community/ui-collectionview - 6.0.6
@nativescript-community/ui-drawer - 0.1.30
@nativescript-community/ui-image - 4.5.6
@nativescript-community/ui-material-bottomsheet - 7.2.72
@nativescript-community/ui-material-core - 7.2.76
@nativescript-community/ui-material-core-tabs - 7.2.76
ngx-color - 10.0.2
ngx-toastr - 19.0.2
ngx-trend - 8.0.1
react-complaint-image - 0.0.35
react-jsonschema-form-conditionals - 0.3.21
react-jsonschema-form-extras - 1.0.4
rxnt-authentication - 0.0.6
rxnt-healthchecks-nestjs - 1.0.5
rxnt-kue - 1.0.7
swc-plugin-component-annotate - 1.9.2
ts-gaussian - 3.0.6
@crowdstrike/commitlint - 8.1.2
@crowdstrike/falcon-shoelace - 0.4.1
@crowdstrike/foundry-js - 0.19.1
@crowdstrike/glide-core - 0.34.3
@crowdstrike/logscale-dashboard - 1.205.2
@crowdstrike/logscale-file-editor - 1.205.2
@crowdstrike/logscale-parser-edit - 1.205.2
@crowdstrike/logscale-search - 1.205.2
@crowdstrike/tailwind-toucan-base - 5.0.2These packages span UI components, colour utilities, analytics and developer tooling, making the attack particularly far reaching.
What You Should Do Now
A clear, methodical response helps contain the impact.
Audit your dependencies
Search lockfiles, SBOMs and node modules for any compromised versions. Tools like syft and cdxgen help generate SBOMs, which can then be scanned for malicious releases.
Inspect your repositories
Check for the shai-hulud branch and any unexpected workflow files. Review recent workflow runs for unusual network activity.
Rotate all relevant secrets
GitHub tokens, npm tokens and cloud provider credentials should be replaced immediately.
Review CI and cloud logs
Look for unusual actions within GitHub Actions, AWS CloudTrail, GCP audit logs or Azure activity logs.
Harden your pipelines
Enforce branch protection rules, restrict who can modify workflows and apply least privilege permissions to all tokens.
How ScanDog Helps Teams Respond to Supply Chain Attacks
When a supply chain attack hits, the question teams ask first is always the same. Are we exposed?
ScanDog helps answer this in minutes rather than hours.
Immediate detection through dependency and SBOM scanning
ScanDog identifies malicious npm versions across repositories and CI pipelines without requiring manual checks.
Clarity through reachability analysis
Not every compromised package results in exploitation. ScanDog evaluates whether the malicious code path is reachable or executed in the environment, helping teams prioritise real threats.
Automated containment
ScanDog can block builds containing malicious versions, open remediation tickets and alert teams instantly in Slack or Teams.
Faster remediation
AI Fix generates actionable patches, including PRs that replace compromised packages with safe versions and explain the changes.
Centralised remediation tracking
The Remediation Center offers a clear overview of which repositories are affected, what has been fixed and what still requires action.
These capabilities allow teams to move quickly from uncertainty to control.
A New Reality for Supply Chain Security
The Shai Hulud incident reinforces a growing truth. Modern applications inherit vast portions of their behaviour from dependencies developers never wrote. A single compromised account can ripple through the ecosystem and silently reach production.
Security teams need visibility across dependencies, SBOMs, CI workflows and cloud credentials. They also need tooling that highlights what is exploitable, what is executed and what is urgent.
Platforms like ScanDog support this shift by providing the contextual awareness and automation required to navigate increasingly complex software supply chains.
ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.