Supply Chain Incident
Shai-Hulud npm self-propagating package compromise
The Shai-Hulud campaign compromised npm packages with credential-harvesting malware that used stolen npm tokens to publish malicious versions of additional packages.
ConfidenceHigh
Evidence LevelResearcher
Attack StagePackage Publish
Source Artifact DivergenceNo
Attribution ConfidenceSuspected
Affected Packages
Affected Releases
- @ctrl/tinycolor@4.1.1 pkg:npm/%40ctrl/tinycolor@4.1.1 · published 2025-09-15 Release
- @ctrl/tinycolor@4.1.2 pkg:npm/%40ctrl/tinycolor@4.1.2 · published 2025-09-15 Release
Repositories
No structured records.
Organizations
Maintainers
No structured records.
Threat Actors
- Shai-Hulud operator
Campaigns
No structured records.
Build Systems
- GitHub Actions
Distribution Channels
- GitHub Actions workflow
- npm registry
Compromised Accounts
- compromised npm maintainer tokens
- victim GitHub tokens
Connected Entities
- @ctrl/tinycolor Package
- @ctrl/tinycolor@4.1.1 Release
- @ctrl/tinycolor@4.1.2 Release
- compromised npm maintainer tokens Compromised Account
- ctrl Organization
- GitHub Actions Build System
- GitHub Actions workflow Distribution Channel
- npm registry Distribution Channel
- rxnt Organization
- rxnt-authentication Package
- Shai-Hulud operator Threat Actor
- victim GitHub tokens Compromised Account
Attribution Evidence
Public reporting supports a coherent Shai-Hulud operator/campaign behavior, but this corpus does not assign a named APT or state sponsor.
References
- Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages StepSecurity · 2025-09-15
- Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware Wiz · 2025-09-16
- @ctrl/tinycolor npm registry metadata npm · 2025-09-15