What We Know About the NPM Supply Chain Attack

    Thursday, September 18, 2025 In: Threat Research Print

    Date: 09/18/2025

    Severity: High

    Summary

    On September 15, attackers launched a targeted phishing campaign to compromise NPM maintainer accounts and inject malicious code into popular JavaScript packages. The attack enabled supply chain compromise, affecting key packages used in application development and cryptography. One payload, Cryptohijacker, redirected cryptocurrency via API hijacking and has impacted organizations across North America and Europe. Another payload, the Shai-hulud worm, spreads through compromised packages, steals cloud tokens, and scans for secrets—though no detections have been confirmed yet. This incident highlights the growing threat to open-source ecosystems through highly targeted supply chain attacks.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

    npmjs.help

    Hash : 

    24a8425476dcf8106ff86e5a5dbdfe56767c3f83

    0be45aa0f8f92e63b74f888fce0e8ccb3a843033

    411a826870d686ba2d880efb2fd3db484d151560

    8b98ab71cc71c8768de27af80a3e0d1bc6c8d809

    7f64e210a3e4f0a4d4353f5b0e24cc6ed5f25f13

    19b5dc3aea3d2e403f6e1bfb2aadf4873a87c4b9

    ea8069be02451e9f78caf626547d63ce37c9e004

    94870190e0a2cc34cfb5800f3a7434b45273395d

    911ec8f2f54043c129d5a4116e0cddb04e96f71d

    8901bdcff8a93cc32d65f6dd5dc3a64bb702c37a

    60cb12384a8defcb020d996f16500cb4ae60544c

    f04799faa6add499aad64c9e50ecd8922656812d

    1fa896bff4d0aea2bdd90e2ca8ec58160d6e9130

    af9729d777b9837891f742db750bf35a0961c77e

    3cf10775ef49ed218730c2cfe9ac865d7d9782af

    87ecf3a97a3d760d99b1c7f91334d0e38ccc3089

    f8b9d1fd523282a9b620568927fb26daaeca4383

    e03f836f966616503dc4588bd17f80f4edf709cb

    7abebf9c56d06083102f0a01b10ace155c9e8855

    1e7dbe865a3e0408a319ee4a8b091add28452524

    1af9b4373657582edb9e20eab34b152be2ec70b4

    067648958b75806072527df55d9d3f727e4d2533

    47b63bc786960fda917ea9f5ff0023a3c50e2ca3

    ebcf69dc3d77aab6a23c733bf8d3de835a4a819a

    7c01f6ed54dc5c8dd7f3d44fb2c5e7baed2b8e84

    41b328df338a31e5afb05e4e37b3e89b29394523

    d4117240a8122c9f5c463a4d5b8a4d34cd243147

    bd398b4c641cc656510398bd70e181d572a9bc7b

    b43a8985746997b08842d55d32e8050dd943349a

    b28a3ab62a108d8094d2d2a8fa9f60a6af9189e6

    b0c9ed032985beda979cb0becba7b4a47b1de30c

    5518bc3a1df75f8e480efb32fa78de15e775155d

    9d893b6e0b50221889fbd2136d77112208746483

    9c14e3b712695d02c886df3503ce9ceadf67b99e

    3bc38b1fb607e2e393f0586ad137bec99e8a22dc

    8ad058047c5f2875f53cc12236cd715ab40918bb

    7e091778fdc88f043f3a5ad02647ca0ecb106311

    4b2d21961eb5ae538ae00c85655b28156c5135e3

    7a1ca7d142305e2886b988c2f0b524f89f003940

    78b18ee8f16e3d06997189ebac933c1048c74687

    014228830250bf081fce9db0826b10305bf4a075

    81f533be5a9ec9bb167634e509ed907896d6ea16

    2252418758a34f8b2708d13d641b8eea3a76a91c

    f416d1e4c19a8293306968d35fe27aa2be0a5d80

    c6490428b140893c27274b9e3bb33d2ab48a478d

    e97440fa7b29d5e4986bc88d7b2d8cec6f251267

    c577059020b7ae370c67cf0a3170eff4d7f2b038

    499756844aa7249d94c3ca3fd3f5346b3bdcabfe

    6323eac15e6029f92d7f53f786909dec04acc22a

    ef25127522cd65bf943000f78f9dd9bcdd8217f0

    70957568e6802538949197cf17709f8f29757c86

    46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

    b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777

    dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c

    4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "npmjs.help" or url like "npmjs.help" or siteurl like "npmjs.help" or domainname like "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7" or url like "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7" or siteurl like "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7"

    Detection Query 2 :

    sha1hash IN ("d4117240a8122c9f5c463a4d5b8a4d34cd243147","78b18ee8f16e3d06997189ebac933c1048c74687","014228830250bf081fce9db0826b10305bf4a075","8901bdcff8a93cc32d65f6dd5dc3a64bb702c37a","f04799faa6add499aad64c9e50ecd8922656812d","70957568e6802538949197cf17709f8f29757c86","60cb12384a8defcb020d996f16500cb4ae60544c","3bc38b1fb607e2e393f0586ad137bec99e8a22dc","e03f836f966616503dc4588bd17f80f4edf709cb","067648958b75806072527df55d9d3f727e4d2533","1fa896bff4d0aea2bdd90e2ca8ec58160d6e9130","3cf10775ef49ed218730c2cfe9ac865d7d9782af","5518bc3a1df75f8e480efb32fa78de15e775155d","4b2d21961eb5ae538ae00c85655b28156c5135e3","c6490428b140893c27274b9e3bb33d2ab48a478d","7a1ca7d142305e2886b988c2f0b524f89f003940","87ecf3a97a3d760d99b1c7f91334d0e38ccc3089","0be45aa0f8f92e63b74f888fce0e8ccb3a843033","c577059020b7ae370c67cf0a3170eff4d7f2b038","b28a3ab62a108d8094d2d2a8fa9f60a6af9189e6","411a826870d686ba2d880efb2fd3db484d151560","ebcf69dc3d77aab6a23c733bf8d3de835a4a819a","9d893b6e0b50221889fbd2136d77112208746483","7f64e210a3e4f0a4d4353f5b0e24cc6ed5f25f13","1af9b4373657582edb9e20eab34b152be2ec70b4","19b5dc3aea3d2e403f6e1bfb2aadf4873a87c4b9","e97440fa7b29d5e4986bc88d7b2d8cec6f251267","24a8425476dcf8106ff86e5a5dbdfe56767c3f83","8b98ab71cc71c8768de27af80a3e0d1bc6c8d809","f8b9d1fd523282a9b620568927fb26daaeca4383","9c14e3b712695d02c886df3503ce9ceadf67b99e","f416d1e4c19a8293306968d35fe27aa2be0a5d80","b43a8985746997b08842d55d32e8050dd943349a","47b63bc786960fda917ea9f5ff0023a3c50e2ca3","ef25127522cd65bf943000f78f9dd9bcdd8217f0","bd398b4c641cc656510398bd70e181d572a9bc7b","ea8069be02451e9f78caf626547d63ce37c9e004","6323eac15e6029f92d7f53f786909dec04acc22a","94870190e0a2cc34cfb5800f3a7434b45273395d","911ec8f2f54043c129d5a4116e0cddb04e96f71d","af9729d777b9837891f742db750bf35a0961c77e","7abebf9c56d06083102f0a01b10ace155c9e8855","1e7dbe865a3e0408a319ee4a8b091add28452524","7c01f6ed54dc5c8dd7f3d44fb2c5e7baed2b8e84","41b328df338a31e5afb05e4e37b3e89b29394523","b0c9ed032985beda979cb0becba7b4a47b1de30c","8ad058047c5f2875f53cc12236cd715ab40918bb","7e091778fdc88f043f3a5ad02647ca0ecb106311","81f533be5a9ec9bb167634e509ed907896d6ea16","2252418758a34f8b2708d13d641b8eea3a76a91c","499756844aa7249d94c3ca3fd3f5346b3bdcabfe")

    Detection Query 3 :

    sha256hash IN ("46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09","b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777","dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c","4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db")

    Reference:

    http://trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html 

    https://unit42.paloaltonetworks.com/npm-supply-chain-attack/


    Tags

    MalwarePhishingShai-huludNode Package Manager (NPM)cryptocurrencyCryptohijackerNorth AmericaEurope

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.