Large-Scale Supply Chain Attack Compromises 170+ npm Packages and PyPI Libraries
Hackers have executed a sophisticated supply chain attack by infiltrating over 170 npm packages and two PyPI libraries, collectively downloaded more than 200 million times per week. The campaign, attributed to the resurfaced "Shai-Hulud" malware, steals developer and cloud credentials while exhibiting worm-like propagation across development ecosystems.
Attack Mechanics
The malicious npm packages contain a hidden preinstall script that executes during installation, deploying a loader to fetch an obfuscated JavaScript payload. Unlike typical credential stealers, this malware modifies legitimate package code, injects malicious components, and republishes infected versions, turning compromised environments into new attack vectors.
The PyPI variant embeds a downloader in the import process, fetching a remote Python payload that targets cloud platforms, local systems, and developer tools. Both variants employ multi-layered obfuscation, including PBKDF2-SHA256 encryption and AES-256 runtime decryption, to evade detection.
Initial Compromise & Propagation
The attack originated from a misconfigured GitHub Actions workflow, where attackers exploited untrusted forked code to execute within a privileged environment. Once inside CI/CD pipelines, the malware extracts GitHub Actions tokens, OIDC identity data, and npm publishing credentials, enabling large-scale package hijacking.
Credential Theft & Exfiltration
The payload targets a broad range of sensitive data, including:
- GitHub tokens, Actions secrets, and npm credentials
- AWS, GCP, and Azure credentials (via environment variables, files, and metadata services)
- Kubernetes service account tokens and HashiCorp Vault secrets
- SSH keys, .npmrc files, shell history, and API keys
- Password manager data (1Password, Bitwarden)
Stolen data is exfiltrated through encrypted uploads to attacker-controlled servers, GitHub repositories, and decentralized networks (e.g., Session/Oxen). A notable indicator is commits authored by "[email protected]."
Destructive Capabilities
The malware includes a "dead-man switch" a persistent service that monitors stolen GitHub tokens. If a token is revoked, the malware may trigger destructive actions, such as wiping the infected system. The PyPI variant can also deploy a second-stage payload capable of deleting entire Linux systems under certain conditions.
Detection & Response
Security researchers at JFrog detected and blocked all malicious packages within 24 hours, but the incident highlights vulnerabilities in CI/CD trust mechanisms. The attack demonstrates how compromised build processes can turn verified pipelines into malware distribution channels, underscoring the need for stricter runtime monitoring and credential hygiene.
Source: https://gbhackers.com/170-npm-packages-hijacked/
PyPI cybersecurity rating report: https://www.rankiteo.com/company/pypi
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
1Password cybersecurity rating report: https://www.rankiteo.com/company/1password
"id": "PYPGIT1PA1778761827",
"linkid": "pypi, github, 1password",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Developers and organizations '
'using compromised packages',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'npm packages (170+)',
'size': '200M+ weekly downloads',
'type': 'Software package repository'},
{'customers_affected': 'Developers and organizations '
'using compromised libraries',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'PyPI libraries (2)',
'size': 'Included in 200M+ weekly downloads',
'type': 'Software package repository'}],
'attack_vector': ['Misconfigured GitHub Actions workflow',
'Malicious npm/PyPI packages'],
'data_breach': {'data_encryption': ['PBKDF2-SHA256',
'AES-256 runtime decryption'],
'data_exfiltration': ['Encrypted uploads to '
'attacker-controlled servers',
'GitHub repositories',
'Decentralized networks (Session/Oxen)'],
'sensitivity_of_data': 'High (cloud and development '
'credentials)',
'type_of_data_compromised': ['Credentials',
'Secrets',
'API keys',
'SSH keys',
'Password manager data']},
'description': 'Hackers executed a sophisticated supply chain attack by '
'infiltrating over 170 npm packages and two PyPI libraries, '
'collectively downloaded more than 200 million times per week. '
"The campaign, attributed to the 'Shai-Hulud' malware, steals "
'developer and cloud credentials while exhibiting worm-like '
'propagation across development ecosystems.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'open-source ecosystems',
'data_compromised': ['GitHub tokens',
'Actions secrets',
'npm credentials',
'AWS/GCP/Azure credentials',
'Kubernetes service account tokens',
'HashiCorp Vault secrets',
'SSH keys',
'.npmrc files',
'Shell history',
'API keys',
'Password manager data (1Password, '
'Bitwarden)'],
'identity_theft_risk': 'High (stolen developer and cloud '
'credentials)',
'operational_impact': 'Compromised build processes turned into '
'malware distribution channels',
'systems_affected': ['CI/CD pipelines',
'Development environments',
'Cloud platforms (AWS, GCP, Azure)']},
'initial_access_broker': {'backdoors_established': 'Malicious code injection '
'in legitimate packages',
'entry_point': 'Misconfigured GitHub Actions '
'workflow',
'high_value_targets': ['CI/CD pipelines',
'Cloud platforms',
'Developer environments']},
'investigation_status': 'Ongoing (malicious packages blocked)',
'lessons_learned': 'The incident highlights vulnerabilities in CI/CD trust '
'mechanisms and the need for stricter runtime monitoring '
'and credential hygiene.',
'motivation': ['Credential theft', 'Data exfiltration', 'Malware propagation'],
'post_incident_analysis': {'corrective_actions': ['Block malicious packages',
'Revoke compromised '
'credentials',
'Implement stricter CI/CD '
'security controls'],
'root_causes': ['Misconfigured GitHub Actions '
'workflow',
'Untrusted forked code in CI/CD '
'pipelines',
'Lack of runtime monitoring']},
'ransomware': {'data_encryption': 'AES-256 (for payload obfuscation)',
'data_exfiltration': True},
'recommendations': ['Enforce stricter runtime monitoring',
'Improve credential hygiene',
'Audit CI/CD pipelines for untrusted code',
'Enhance detection of obfuscated malware'],
'references': [{'source': 'JFrog'}],
'response': {'containment_measures': 'All malicious packages blocked within '
'24 hours',
'enhanced_monitoring': 'Stricter runtime monitoring recommended',
'remediation_measures': ['Removal of malicious packages',
'Revocation of compromised credentials'],
'third_party_assistance': 'JFrog (security researchers)'},
'threat_actor': 'Shai-Hulud malware group',
'title': 'Large-Scale Supply Chain Attack Compromises 170+ npm Packages and '
'PyPI Libraries',
'type': 'Supply Chain Attack',
'vulnerability_exploited': ['Untrusted forked code in CI/CD pipelines',
'Hidden preinstall scripts',
'Malicious code injection in legitimate packages']}