The discovery of a fresh supply chain attack targeting npm packages maintained by the CrowdStrike-publisher account marks a troubling escalation of the so-called “Shai-Halud attack.”
Developers and organizations relying on these packages face an urgent threat: malicious code capable of harvesting credentials, injecting unauthorized workflows, and exfiltrating secrets.
Immediate action is required to safeguard development environments and prevent unauthorized code execution.
The Shai-Halud campaign first made headlines when it subverted tinycolor and more than 40 other npm libraries.
In the most recent wave, security researchers at Socket.dev identified multiple CrowdStrike packages infected with a malicious bundle.js payload.
Upon installation, this script downloads and launches TruffleHog—a legitimate tool used to scan for secrets—and repurposes it to scour the host system for tokens, API keys, and cloud credentials.
After harvesting valid developer and CI secrets, the malware automatically creates unauthorized GitHub Actions workflows in compromised repositories.
All stolen data is then exfiltrated to a hardcoded webhook endpoint (hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fcb9ebb8170b7) via an orchestrating script identified by SHA-256 hash 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09.
List of Affected Packages
The npm registry swiftly removed the identified malicious versions once the activity was reported.
Confirmed compromised packages include core CrowdStrike modules and supporting Ember and utility libraries.
Notable examples are:
| Package Name | Affected Version(s) |
|---|---|
| @crowdstrike/commitlint | 8.1.1, 8.1.2 |
| @crowdstrike/falcon-shoelace | 0.4.2 |
| @crowdstrike/foundry-js | 0.19.2 |
| @crowdstrike/glide-core | 0.34.2, 0.34.3 |
| @crowdstrike/logscale-dashboard | 1.205.2 |
| @crowdstrike/logscale-file-editor | 1.205.2 |
| @crowdstrike/logscale-parser-edit | 1.205.1, 1.205.2 |
| @crowdstrike/logscale-search | 1.205.2 |
| @crowdstrike/tailwind-toucan-base | 5.0.2 |
Additional impacted libraries range from browser-webdriver-downloader 3.0.8 to various eslint-config-crowdstrike modules, monorepo-next 13.0.2, remark-preset-lint-crowdstrike 4.0.2, verror-extra 6.0.1, and yargs-help-output 5.0.3.
Each contained the identical bundle.js payload responsible for credential theft and exfiltration.
Organizations leveraging any of the compromised npm packages should take the following steps without delay:
| Risk Factor | Impact | Recommended Action |
|---|---|---|
| Malicious bundle.js payload | Credential theft, unauthorized code execution, workflow injection | Uninstall compromised packages or pin to known-good versions; monitor npm publishes for anomalies |
| TruffleHog-driven secret scanning | Exposure of API keys, tokens, cloud credentials | Rotate all npm tokens, cloud credentials, and CI secrets; audit credential stores |
| Unauthorized GitHub Actions workflows | Persistent backdoors enabling repeated exfiltration | Review and remove unfamiliar workflows; enforce signed workflows and enforce least privilege access |
CrowdStrike and npm maintainers are collaborating on a comprehensive technical analysis, which will detail propagation mechanisms and remediation steps.
Until patched releases are confirmed, teams must audit developer machines and CI/CD agents for unauthorized npm publishes or suspicious package modifications.
A CrowdStrike spokesperson told Cyberpress, “After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”
Monitoring logs for unusual publish events and GitHub Actions changes will help detect any further malicious activity.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Developers and organizations relying on these packages face an urgent threat: malicious code capable of harvesting credentials, injecting unauthorized workflows, and exfiltrating secrets.){kind=link}