On September 15, 2025, reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by malware as part of a broader supply chain attack affecting over 180 packages.

Reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by Wormable Malware as part of a broader supply chain attack affecting over 40 packages initially, with the number rising to more than 180 according to Aikido’s blog. Upon further investigation, the first malicious package that was identified as compromised in this campaign was rxnt-authentication, which was updated on September 14, 2025, at 17:58:50 UTC. 

The malware in this campaign is considered one of the first self-spreading worms to propagate via the npm ecosystem. It harvests sensitive information such as developer credentials, cloud keys, and tokens by scanning infected systems using credential gathering tools such as TruffleHog, exfiltrating the stolen data through public GitHub repositories, and injecting itself into other packages managed by compromised developers, to spread further across the npm ecosystem. 
Updated Cyber Security News can be found here.

Package management ecosystems like npm have been heavily targeted by threat actors recently and will likely continue to be a prime focus for organizations using these tools as part of their development toolchain. The most recent developments follow the September 8, 2025 npm package compromise, in which malicious updates injected cryptocurrency-stealing malware into popular packages, and the August 26, 2025 Nx package compromise, which exfiltrated thousands of developer credentials and led to many private repositories being made public. 

Malware 

From a high level, the Wormable Malware in this campaign carries out a series of actions to steal data and then proceeds to spread itself widely within the npm ecosystem. 

1. First, it scans infected hosts and continuous integration (CI) environments for sensitive secrets like passwords and cloud service credentials by using tools like TruffleHog and querying metadata endpoints from AWS, Google Cloud, and Azure.
2. It then creates a public GitHub repository named “Shai-Hulud,” where it dumps a JSON file containing system details, environment variables, and stolen secrets for threat actors to access. 
3. The malware also drops a malicious GitHub Actions workflow (.github/workflows/shai-hulud-workflow.yml) that collects repository secrets and sends them to attacker-controlled webhooks. 
4. To propagate further, it looks for valid npm tokens it finds and uses them to automatically republish other packages maintained by the compromised user with malicious code. 
5. Finally, it makes private repositories accessible by turning them public or adding workflows and branches that trigger additional leaks and malware runs, effectively acting as a self-replicating worm across the developer ecosystem. 

Affected Code Packages

The npm software registry is the world’s largest package repository, containing more than 800,000 code packages with millions of downloads per day. As it is widely used in development environments, organizations that use npm as part of their development workflow are recommended to review this blog article for a list of affected packages that have been identified so far. 

Recommendations 

Review GitHub Accounts for Malicious Repositories

Considering that this malware is known to change private repositories to public, review your GitHub account for suspicious activities involving the unintended change of private repositories to be public-facing. 

Additionally, look for new repositories with a description of Shai-Hulud Migration or newly-created branches called Shai-Hulud. If you are not using GitHub in your environment but do publish packages to a public or private npm registry, look for new, unsanctioned versions of packages deployed to npm registries. 

Identify and Remove Affected npm Packages

Hijacked npm packages that were identified by their maintainers are being removed from the npm registry to prevent further distribution. It is recommended that organizations review and remove affected versions of npm packages from their environments, especially on devices where npm is used as part of the development pipeline. 

Special care should be taken in any confirmed infection scenario where npm authentication tokens are present for publication of packages to private or public npm registries, considering that this malware attempts to propagate by deploying trojanized versions of packages using those credentials. Where feasible, consider purging and reinstalling all npm packages to ensure no known trojanized dependencies are able to persist. 

Rotate Secrets on Devices Running Trojanized npm Packages

At minimum, any device confirmed to be running trojanized versions of npm packages should be quarantined until fully remediated, and any accessible secrets should be rotated. As a precaution, teams may consider rotating these credentials across development environments where npm packages are regularly installed, even without confirmed compromise. 

Considering that this malware/ Wormable Malware harvests credentials from a wide variety of sources using tools like TruffleHog, various types of secrets should be considered for rotation, which may include those gathered in the recent campaign. 

Potentially affected secrets include, but are not necessarily limited to: 

• AWS credentials, including access keys (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), IAM credentials, and session tokens. 
• Google Cloud Platform service credentials including OAuth tokens and service account keys. 
• Azure credentials including service principals and access tokens. 
• Credentials stored in credential management tools such as AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault. 
• NPM authentication tokens (i.e., those used for automation and publication). 
• API keys stored in environment variables throughout code. 
• SSH keys used with Git. 
• Database credentials stored in connection strings. 
• GitHub personal access tokens. 
• GitHub Actions secrets. 

Note: At the time of this writing, TruffleHog supports over 800 different types of credentials for extraction. While there is no central documentation page listing out all supported credential types, their GitHub repository has a list of detectors provided. 

Monitor for Suspicious Connections

In this campaign, threat actors were observed creating outbound connections to the webhook[.]site as a means of confirming that propagation was successful. If you do not use this service for legitimate purposes in your environment, consider blocking this domain. 

References

• Step Security Research Blog
• Socket Research Blog
• Aikido Research Blog

Resources

Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report. 

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.