CrowdStrike npm packages hit by Shai-Hulud

CrowdStrike's npm scope was one branch of the first Shai-Hulud campaign. The affected packages were legitimate @crowdstrike/ packages on npm, not look-alikes, and they were published during the September 16 burst.

The payload was the same worm family seen across the campaign. Install-time JavaScript looked for developer secrets, GitHub tokens, npm tokens, and cloud credentials, then used GitHub as both a leak surface and a propagation surface.

The CrowdStrike set matters because it shows how the worm crossed organizational boundaries. A token with publish rights gave the attacker the registry path; npm then distributed the compromised archives under trusted package names.

This record keeps the CrowdStrike scope separate from the campaign because package ownership, versions, and remediation are specific. The campaign record carries the larger worm behavior and cross-package spread.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

Third Party

• Hashsha256:de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
• Hashsha256:81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
• Hashsha256:83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
• Hashsha256:4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
• Hashsha256:dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
• Hashsha256:46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
• Hashsha256:b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777

• Ongoing supply chain attack targets CrowdStrike npm packagessocket.dev
• npm supply chain attack targets CrowdStrike packagescybersecuritynews.com