Shai-Hulud malware campaign dubbed 'the largest and most dangerous npm supply-chain compromise in history' — 'hundreds' of JavaScript packages affected

The Shai-Hulud malware campaign, described as the largest and most dangerous npm supply-chain compromise in history, has affected hundreds of JavaScript packages, including popular libraries like @ctrl/tinycolor. The malware spreads autonomously and injects a script during installation that performs credential harvesting and persistence operations. It uses offensive security tools like TruffleHog and developer tooling like GitHub Actions to exfiltrate secrets and create backdoors, making it a significant threat. Security firms are providing lists of compromised npm packages and guidance on how organizations can respond to this widespread attack in the Node.js ecosystem.