Sign up to save your podcasts
Or
Share The Npm Worm Outbreak
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Npm Worm Outbreak
The world’s biggest open-source ecosystem - npm - faced its first self-spreading worm.
They called it Shai Hulud.
It didn’t just infect one package. It infected developers themselves.
When a maintainer got phished, the worm harvested credentials, hijacked tokens, and created new CI/CD workflows to keep spreading - automatically.
No command-and-control. No manual uploads. Just a chain reaction across the npm registry.
And while the world was busy shouting about “2.6 billion downloads affected,” this real threat was quietly exfiltrating GitHub, cloud, and npm secrets - right under everyone’s nose.
This isn’t just another npm story.
It’s the first-ever self-replicating supply chain worm - and a wake-up call for every developer and security team building in the open.
Watch host Rob Maas (Field CTO, ON2IT) and Yuri Wit (SOC Analyst, ON2IT)
break down how it started, how it spread, and how to make sure your pipeline isn’t the next one to go viral.
- (00:00) - Intro, welcome & what npm is
Key Topics Covered
- How a maintainer phish and TOTP capture led to a crypto drainer in npm.
- Why Shai Hulud’s credential harvesting + CI/CD persistence makes it high-impact.
- Practical defenses: pin/review dependencies, CI/CD change alerts, secret rotation, egress monitoring.
- What developers vs. end users can (and can’t) do in supply-chain attacks.
Got your attention?
Subscribe to Threat Talks and turn on notifications for more content on the world’s leading cyber threats and trends.
Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Yuri Wit (SOC Analyst, ON2IT): https://www.linkedin.com/in/yuriwit/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
npm: https://www.npmjs.com/
Node.js: https://nodejs.org/
GitHub Docs: Actions & Workflows: https://docs.github.com/actions
MetaMask: https://metamask.io/
OWASP Dependency Management: https://owasp.org/www-project-dependency-check/
SLSA Supply-chain Levels for Software Artifacts: https://slsa.dev/
Click here to view the episode transcript.
View all episodes
By Threat TalksThe world’s biggest open-source ecosystem - npm - faced its first self-spreading worm.
They called it Shai Hulud.
It didn’t just infect one package. It infected developers themselves.
When a maintainer got phished, the worm harvested credentials, hijacked tokens, and created new CI/CD workflows to keep spreading - automatically.
No command-and-control. No manual uploads. Just a chain reaction across the npm registry.
And while the world was busy shouting about “2.6 billion downloads affected,” this real threat was quietly exfiltrating GitHub, cloud, and npm secrets - right under everyone’s nose.
This isn’t just another npm story.
It’s the first-ever self-replicating supply chain worm - and a wake-up call for every developer and security team building in the open.
Watch host Rob Maas (Field CTO, ON2IT) and Yuri Wit (SOC Analyst, ON2IT)
break down how it started, how it spread, and how to make sure your pipeline isn’t the next one to go viral.
- (00:00) - Intro, welcome & what npm is
Key Topics Covered
- How a maintainer phish and TOTP capture led to a crypto drainer in npm.
- Why Shai Hulud’s credential harvesting + CI/CD persistence makes it high-impact.
- Practical defenses: pin/review dependencies, CI/CD change alerts, secret rotation, egress monitoring.
- What developers vs. end users can (and can’t) do in supply-chain attacks.
Got your attention?
Subscribe to Threat Talks and turn on notifications for more content on the world’s leading cyber threats and trends.
Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Yuri Wit (SOC Analyst, ON2IT): https://www.linkedin.com/in/yuriwit/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
npm: https://www.npmjs.com/
Node.js: https://nodejs.org/
GitHub Docs: Actions & Workflows: https://docs.github.com/actions
MetaMask: https://metamask.io/
OWASP Dependency Management: https://owasp.org/www-project-dependency-check/
SLSA Supply-chain Levels for Software Artifacts: https://slsa.dev/
Click here to view the episode transcript.