← Supply-Chain Attack Compendium

crowdstrike-npm

Incident Summary

CrowdStrike NPM Packages Compromise (Shai-Hulud Worm)

The Shai-Hulud self-propagating worm compromised several official @crowdstrike/ scoped npm packages as part of a broader 526-package wave. This record tracks the CrowdStrike package scope specifically. The malware hunted for GITHUB_TOKEN, NPM_TOKEN, and cloud credentials by executing TruffleHog, then propagated by hijacking publish rights to inject malicious postinstall scripts and republish affected packages.

Date
2025-09-14 to 2025-09-16
Category
Open Source
Target Surface
Package registry
Insertion Phase
distribution
Impact
Credential theft
Cause
Compromised Account/Credentials

What Was Affected

Package crowdstrike-npm
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain npmjs.com

Compromised Versions

Incident Context

Motive
Credential Theft
Attribution
Third Party
Transitive
No
User Impact
0
Observed Duration
2 days

Indicators and Changes

Hashes

  • sha256:de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
  • sha256:81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
  • sha256:83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
  • sha256:4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
  • sha256:dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
  • sha256:46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
  • sha256:b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777

External References

Source Data

Source record: oss/crowdstrike-npm/meta.yaml