How A Compromised Npm Package Revealed Github Workflow Vulnerabilities An experiment uncovering how a possible vulnerability with github action workflows exposed ledger's npm keys. Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.
Github Devbyray Check Vulnerable Npm Packages How To Check For The nx team has published detailed findings from their investigation into last week's supply chain attack, revealing how attackers exploited a github actions workflow vulnerability to steal npm publishing tokens. On september 8, 2025, an attacker compromised all packages published by qix, including extremely popular packages such as chalk and debug js. collectively, these packages have over 2 billion downloads per week, making this likely the largest supply chain attack in history. When the shai hulud malware first appeared in the npm space in mid september, and it compromised 187 packages with a self propagating payload that used the trufflehog tool to steal developer. Posthog has disclosed a significant supply chain breach linked to the shai hulud v2 campaign, which exploited a github actions workflow misconfiguration to steal credentials and publish malicious packages.
Npm Package Vulnerabilities And Effective Auditing When the shai hulud malware first appeared in the npm space in mid september, and it compromised 187 packages with a self propagating payload that used the trufflehog tool to steal developer. Posthog has disclosed a significant supply chain breach linked to the shai hulud v2 campaign, which exploited a github actions workflow misconfiguration to steal credentials and publish malicious packages. A major supply chain attack has been uncovered in the npm ecosystem, where more than 40 widely used packages were found compromised. the campaign, powered by a self replicating malware dubbed “shai hulud”, is actively spreading and exfiltrating sensitive credentials. A malicious npm package named “@acitons artifact” was found impersonating the legitimate “@actions artifact” module, directly targeting the ci cd pipelines within github actions workflows. The prevailing theory suggests that the compromise occurred due to a vulnerability in ledger’s github workflow. it is believed that an attacker exploited a github pull request workflow to gain access to ledger's npm keys, enabling them to publish malicious code. Cisa is releasing this alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest javascript registry, npmjs . a self replicating worm—publicly known as “shai hulud”—has compromised over 500 packages. [i].
Comments are closed.