Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

(socket.dev)

1208 points jamesberthoty | 2 comments | 16 Sep 25 11:22 UTC | HN request time: 0.001s | source

A lot of blogs on this are AI generated and such as this is developing, so just linking to a bunch of resources out there:

Socket:

- Sep 15 (First post on breach): https://socket.dev/blog/tinycolor-supply-chain-attack-affect...

- Sep 16: https://socket.dev/blog/ongoing-supply-chain-attack-targets-...

StepSecurity – https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-p...

Aikido - https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-...

Ox - https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hi...

Safety - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack

Phoenix - https://phoenix.security/npm-tinycolor-compromise/

Semgrep - https://semgrep.dev/blog/2025/security-advisory-npm-packages...

Show context

cddotdotslash ◴[16 Sep 25 13:31 UTC] No.45262019[source]▶

>>45260741 (OP) #

I wonder who actually discovered this attack? Can we credit them? The phrasing in these posts is interesting, with some taking direct credit and others just acknowledging the incident.

Aikido says: > We were alerted to a large-scale attack against npm...

Socket says: > Socket.dev found compromised various CrowdStrike npm packages...

Ox says: > Attackers slipped malicious code into new releases...

Safety says: > The Safety research team has identified an attack on the NPM ecosystem...

Phoenix says: > Another supply chain and NPM maintainer compromised...

Semgrep says: > We are aware of a number of compromised npm packages

replies(6): >>45262042 #>>45262074 #>>45262368 #>>45262518 #>>45263064 #>>45263487 #

advocatemack ◴[16 Sep 25 14:48 UTC] No.45263064[source]▶

>>45262019 #

Mackenzie here I work for Aikido. This is a classic example of the security community all playing a part. The very first notice of this was from a developer named Daniel Pereira. He alerted Socket who did the first review of the Malware and discovered 40 packages. After, Aikido discovered an additional 147 packages and the Crowdstrike packages. I'm not sure how Step found it but they were the first to really understand the malware and that it was a self replicating worm. So multiple parties all playing a part kinda independent. Its pretty cool

replies(1): >>45269054 #

1. sauercrowd ◴[16 Sep 25 22:27 UTC] No.45269054[source]▶

>>45263064 #

question how does your product help in these situations? I imagine it'd require for someone to report a compromised package, and then you guys could detect it in my codebase?

replies(1): >>45273990 #

2. singulasar ◴[17 Sep 25 10:25 UTC] No.45273990[source]▶

>>45269054 (TP) #

Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates. This is how aikido was first to discover the previous supply chain hack.

The easiest way for you to use our product to be protected is actually using one of our free open source tools. https://www.npmjs.com/package/@aikidosec/safe-chain

This is a wrapper around npm etc that will prevent you from installing malware

↑