Date: 04/27/2026
Severity: High
Summary
The npm ecosystem hit a critical turning point in September 2025. The Shai-Hulud worm, a self-replicating malware, automated the spread of compromised packages. This marked the shift from minor disruptions to serious, high-impact threats. Since then, supply chain attacks have rapidly increased in frequency and sophistication. What began as isolated typosquatting has become coordinated efforts exploiting developer trust.
Indicators of Compromise (IOC) List
Domains/URLs : | audit.checkmarx.cx checkmarx.cx |
IP Address : | 94.154.172.43 91.195.240.123 |
Hash : | bc544f455d7c06c8a1f3446160a6d9a4a8236b11
f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d
18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb
167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad
|
Email : | helloworm00@proton.me |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "audit.checkmarx.cx" or url like "audit.checkmarx.cx" or siteurl like "audit.checkmarx.cx" or domainname like "checkmarx.cx" or url like "checkmarx.cx" or siteurl like "checkmarx.cx" |
Detection Query 2 : | dstipaddress IN ("91.195.240.123","94.154.172.43") or srcipaddress IN ("91.195.240.123","94.154.172.43") |
Detection Query 3 : | sha256hash IN ("f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d","18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb")
|
Detection Query 4 : | sha1hash IN ("bc544f455d7c06c8a1f3446160a6d9a4a8236b11")
|
Detection Query 5 : | sender IN ("helloworm00@proton.me") or from IN ("helloworm00@proton.me") |
Reference:
https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/