A fast-spreading supply chain attack known as Shai-Hulud has infected hundreds of npm packages and exposed sensitive developer credentials, including GitHub tokens, cloud keys and crypto wallet data. The campaign began in mid-September 2025 and has escalated quickly as the worm moves across maintainer accounts and widely used JavaScript libraries.
How the Shai-Hulud Worm Spreads
Security agencies report that attackers first compromise a maintainer account, often through phishing, then upload modified versions of legitimate packages. Once a developer installs one of these versions, a malicious script called bundle.js runs on macOS or Linux systems.
The worm scans machines and CI pipelines for secrets using the open-source tool TruffleHog. It searches for items such as:
- GitHub personal access tokens
- npm publish tokens
- AWS, GCP and Azure cloud keys
- Wallet keys and crypto development credentials
If it finds valid npm tokens, it immediately updates and republishes additional packages owned by the same maintainer. This behavior allows the malware to replicate quickly across the ecosystem.
Persistence and Data Exposure
Researchers found that the worm attempts to stay active by creating GitHub Actions workflows inside victim repositories. It also uploads stolen credentials and private repo data to new public GitHub repositories labeled Shai-Hulud. Some compromised libraries receive billions of weekly downloads, which raises serious concerns about the scope of exposure.
Although no confirmed cases show direct infections of Ethereum Name Service or popular web3 libraries, the risk remains high. Previous attacks in npm and PyPI have specifically targeted crypto tools, so developers working on wallets, smart contracts or web3 apps should remain cautious.
Why Crypto Projects Face Heightened Risk
Developers often rely on npm packages inside CI/CD systems, containers and production environments. Therefore, a single compromised dependency can affect entire blockchain workflows. Attackers could intercept wallet operations, capture seed phrases or read deployment secrets tied to smart contract management.
What Developers Should Do Now
Experts urge teams to act immediately:
- Audit all dependencies used before September 16, 2025
- Pin safe package versions
- Rotate every developer credential, including GitHub, npm, SSH and cloud tokens
- Enable phishing-resistant MFA across all accounts
The Shai-Hulud incident highlights a major shift in open-source security. Autonomous supply chain worms are no longer theoretical. The ecosystem now needs stricter dependency checks, better tooling and tighter permissions for maintainers.
