Skip to main content
close search
site logo

CISA urges dependency checks following Shai-Hulud compromise

Security teams are urged to review their software environments after a major supply chain attack on the NPM ecosystem.

Published Sept. 24, 2025
David Jones's headshot
Reporter
Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard
gorodenkoff via Getty Images

The Cybersecurity and Infrastructure Security Agency urged security teams to monitor their systems following a massive supply chain attack that struck the Node Package Manager ecosystem. 

The attack, tracked under the name Shai-Hulud, involved a self-replicating worm that compromised more than 500 software packages, according to StepSecurity. 

After gaining access, a malicious attacker injected malware and scanned the environment for sensitive credentials. The credentials included GitHub Personal Access Tokens and application programming interface keys for various cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure. 

The stolen credentials were uploaded to an endpoint controlled by the attacker and then uploaded to a public repository called Shai-Hulud. 

Researchers at Palo Alto Networks said the attacker used an LLM to write the malicious script, according to an updated blog post released Tuesday. 

GitHub on Monday said it took action to mitigate the impact of the attacks. GitHub has removed more than 500 packages from the npm registry. In addition, new packages that contain the malware’s indicators of compromise have been blocked. 

CISA is urging security teams to take a series of mitigation steps to make sure their environments were not compromised. They include the following measures:

  • Perform a dependency review of all software that leverages the npm package ecosystem. 
  • Look for cached versions of affected dependencies in artifact repositories as well as dependency management tools. 
  • Promptly rotate all developer credentials.
  • Implement phishing-resistant multifactor authentication on developer accounts.

Editors' picks

Company Announcements

View all | Post a press release
Migliaccio & Rathod LLP Investigates Cornwell Quality Tools Data Breach Affecting Over 100,000…
From Migliaccio & Rathod LLP
September 09, 2025
Genians USA Elevates Computer Integration Technologies, Inc. (CIT) to Gold Partner Status
From Genians
September 19, 2025
Genians logo
BeyondTrust Delivers Identity Security Controls for AI, Turning Agent Visibility into Action
From BeyondTrust
September 16, 2025
BeyondTrust logo
Appknox Launches KnoxSpy, Breaking Open MDM-Locked Mobile Traffic for Real-Time Security Testi…
From Appknox
September 16, 2025
Appknox logo
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.