A **supply chain attack** (dubbed *Shai-Halud*) compromised multiple **npm packages** maintained under CrowdStrike’s official publisher account. Threat actors injected a malicious `bundle.js` script into packages like `@crowdstrike/commitlint`, `@crowdstrike/falcon-shoelace`, and others, which executed covertly upon installation. The payload deployed **TruffleHog**—a legitimate secret-scanning tool—to harvest **developer credentials, API keys, cloud tokens, and CI/CD secrets** from infected systems. Exfiltrated data was sent to a hardcoded attacker-controlled webhook (`hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7`). The attack also **created unauthorized GitHub Actions workflows** in victim repositories, risking further compromise. While CrowdStrike removed the malicious versions and rotated keys, the breach exposed **internal development environments, CI/CD pipelines, and potentially proprietary code or customer-integrated systems**. The incident mirrors prior attacks on libraries like `tinycolor`, highlighting systemic risks in open-source supply chains. Organizations using these packages were urged to **uninstall affected versions, rotate all exposed secrets, and audit systems** for unauthorized modifications. CrowdStrike confirmed the **Falcon sensor platform remained unaffected**, but the attack undermined trust in their open-source tooling and posed **operational, reputational, and security risks** for dependent enterprises.
Source: https://gbhackers.com/crowdstrike-npm-packages-supply-chain-attack/
TPRM report: https://www.rankiteo.com/company/crowdstrike
"id": "cro1092210091625",
"linkid": "crowdstrike",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'technology/security',
'name': 'CrowdStrike',
'type': 'cybersecurity company'},
{'industry': 'various (technology-dependent)',
'location': 'global',
'name': 'Organizations using compromised npm packages',
'type': ['developers',
'enterprises',
'open-source projects']}],
'attack_vector': ['compromised npm packages',
'malicious dependency injection',
'post-install script execution'],
'customer_advisories': ['Audit environments for unauthorized activity.',
'Rotate secrets and monitor for suspicious '
'publishes.'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['environment variables',
'configuration files',
'CI/CD secrets'],
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['secrets',
'API keys',
'cloud credentials',
'GitHub tokens']},
'description': 'A supply chain attack compromised multiple npm packages '
'maintained by the crowdstrike-publisher account, part of the '
"ongoing 'Shai-Halud attack.' Threat actors injected a "
'malicious `bundle.js` script into these packages, which '
'executes covert tasks post-installation. The payload '
'downloads and runs **TruffleHog**, a legitimate '
'secret-scanning tool, to harvest tokens, API keys, and cloud '
'credentials from host systems. Compromised secrets are then '
'exfiltrated to a hardcoded webhook endpoint '
'(`hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7`). '
'The attack also creates unauthorized GitHub Actions workflows '
'in affected repositories. Affected packages were swiftly '
'removed by the npm registry, but organizations are urged to '
'audit environments, rotate credentials, and monitor for '
'unauthorized activity.',
'impact': {'brand_reputation_impact': ['potential erosion of trust in '
"CrowdStrike's open-source ecosystem"],
'data_compromised': ['developer secrets',
'API keys',
'cloud credentials',
'GitHub tokens'],
'identity_theft_risk': ['high (due to exposed credentials)'],
'operational_impact': ['unauthorized npm publishes',
'malicious GitHub Actions workflows',
'credential rotation overhead'],
'systems_affected': ['developer machines',
'CI/CD pipelines',
'GitHub repositories']},
'initial_access_broker': {'backdoors_established': ['malicious `bundle.js` '
'script',
'GitHub Actions '
'workflows'],
'entry_point': 'compromised npm packages (e.g., '
'@crowdstrike/commitlint, '
'@crowdstrike/falcon-shoelace)',
'high_value_targets': ['developer credentials',
'CI/CD secrets',
'cloud access tokens']},
'investigation_status': 'ongoing (collaboration between CrowdStrike and npm)',
'lessons_learned': ['Supply chain attacks via open-source dependencies pose '
'significant risks even to security-focused '
'organizations.',
'Post-install scripts in npm packages can be weaponized '
'for credential theft.',
'Proactive key rotation and environment audits are '
'critical after such incidents.'],
'motivation': ['credential harvesting',
'unauthorized access',
'potential follow-on attacks'],
'post_incident_analysis': {'corrective_actions': ['Enhanced security for npm '
'publishing accounts.',
'Automated scanning for '
'malicious post-install '
'scripts.',
'Improved incident response '
'for supply chain attacks.'],
'root_causes': ["Compromise of CrowdStrike's npm "
'publisher account.',
'Insufficient vetting of '
'post-install scripts in '
'dependencies.',
'Trust in open-source supply chain '
'exploited.']},
'recommendations': ['Uninstall compromised npm packages or pin to pre-attack '
'versions.',
'Rotate all potentially exposed credentials (npm, GitHub, '
'cloud).',
'Monitor for unauthorized npm publishes or GitHub Actions '
'workflows.',
'Implement stricter vetting for open-source dependencies.',
'Use tools like `npm audit` and dependency scanners to '
'detect malicious packages.'],
'references': [{'source': 'GBHackers on Security'}, {'source': 'Socket.dev'}],
'response': {'communication_strategy': ['public statement via GBHackers on '
'Security',
'collaboration with npm for technical '
'analysis'],
'containment_measures': ['removal of malicious packages from npm '
'registry',
'key rotation in public registries'],
'enhanced_monitoring': ['logs for unusual npm/GitHub activity'],
'incident_response_plan_activated': True,
'recovery_measures': ['pinning to known-good package versions',
'awaiting patched releases'],
'remediation_measures': ['audit of environments/developer '
'machines',
'credential rotation (npm tokens, cloud '
'credentials)',
'monitoring for unauthorized publishes'],
'third_party_assistance': ['npm registry collaboration']},
'stakeholder_advisories': ['CrowdStrike spokesperson statement confirming '
'removal of malicious packages and key rotation'],
'title': 'Supply Chain Attack on CrowdStrike npm Packages (Shai-Halud Attack)',
'type': ['supply chain attack',
'credential theft',
'unauthorized code execution',
'data exfiltration'],
'vulnerability_exploited': ['supply chain trust abuse',
'npm package hijacking',
'CI/CD pipeline compromise']}