Ongoing Supply Chain Attack Targets CrowdStrike npm Packages

Multiple CrowdStrike npm packages published by the crowdstrike-publisher npm account were compromised. This looks like a continuation of the ongoing malicious supply chain campaign known as the “Shai-Halud attack” that previously compromised tinycolor and 40+ other packages. The malware is identical to this previous campaign, which includes a bundle.js script that:

• Downloads and executes TruffleHog, a legitimate secret scanner
• Searches host systems for tokens and cloud credentials
• Validates discovered developer and CI credentials
• Creates unauthorized GitHub Actions workflows within repositories
• Exfiltrates sensitive data to a hardcoded webhook endpoint

The affected packages were quickly removed by the npm registry. The malware includes a workflow file named shai-hulud.yaml, a nod to the sandworms in Dune. While not a unique reference, its presence reinforces that the attacker deliberately branded the campaign “Shai-Hulud.”

In our previous analysis we found the payload writes a GitHub Actions workflow file named shai-hulud-workflow.yml. Around the same time, nearly 700 public repositories titled “Shai-Hulud Migration” appeared on GitHub. While the precise role of these repos is still under investigation, their naming and timing suggest they may be artifacts of attacker automation used to persist or stage the workflow. We will update the post as we know more.

Our previous post has further details on the malware itself. The bash block uses a GitHub personal access token if present, writes a GitHub Actions workflow into .github/workflows, and exfiltrates collected content to a webhook.

The script combines local scanning with service specific probing. It looks for environment variables such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available. It also attempts cloud metadata discovery that can leak short lived credentials inside cloud build agents.

The workflow that it writes to repositories persists beyond the initial host. Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design.

Compromised Packages and Versions#

The following npm packages and versions have been confirmed as affected:

1. @ahmedhfarag/ngx-perfect-scrollbar@20.0.20
2. @ahmedhfarag/ngx-virtual-scroller@4.0.4
3. @art-ws/common@2.0.28
4. @art-ws/config-eslint@2.0.4
5. @art-ws/config-eslint@2.0.5
6. @art-ws/config-ts@2.0.7
7. @art-ws/config-ts@2.0.8
8. @art-ws/db-context@2.0.24
9. @art-ws/di-node@2.0.13
10. @art-ws/di@2.0.28
11. @art-ws/di@2.0.32
12. @art-ws/eslint@1.0.5
13. @art-ws/eslint@1.0.6
14. @art-ws/fastify-http-server@2.0.24
15. @art-ws/fastify-http-server@2.0.27
16. @art-ws/http-server@2.0.21
17. @art-ws/http-server@2.0.25
18. @art-ws/openapi@0.1.12
19. @art-ws/openapi@0.1.9
20. @art-ws/package-base@1.0.5
21. @art-ws/package-base@1.0.6
22. @art-ws/prettier@1.0.5
23. @art-ws/prettier@1.0.6
24. @art-ws/slf@2.0.15
25. @art-ws/slf@2.0.22
26. @art-ws/ssl-info@1.0.10
27. @art-ws/ssl-info@1.0.9
28. @art-ws/web-app@1.0.3
29. @art-ws/web-app@1.0.4
30. @crowdstrike/commitlint@8.1.1
31. @crowdstrike/commitlint@8.1.2
32. @crowdstrike/falcon-shoelace@0.4.1
33. @crowdstrike/falcon-shoelace@0.4.2
34. @crowdstrike/foundry-js@0.19.1
35. @crowdstrike/foundry-js@0.19.2
36. @crowdstrike/glide-core@0.34.2
37. @crowdstrike/glide-core@0.34.3
38. @crowdstrike/logscale-dashboard@1.205.1
39. @crowdstrike/logscale-dashboard@1.205.2
40. @crowdstrike/logscale-file-editor@1.205.1
41. @crowdstrike/logscale-file-editor@1.205.2
42. @crowdstrike/logscale-parser-edit@1.205.1
43. @crowdstrike/logscale-parser-edit@1.205.2
44. @crowdstrike/logscale-search@1.205.1
45. @crowdstrike/logscale-search@1.205.2
46. @crowdstrike/tailwind-toucan-base@5.0.1
47. @crowdstrike/tailwind-toucan-base@5.0.2
48. @ctrl/deluge@7.2.1
49. @ctrl/deluge@7.2.2
50. @ctrl/golang-template@1.4.2
51. @ctrl/golang-template@1.4.3
52. @ctrl/magnet-link@4.0.3
53. @ctrl/magnet-link@4.0.4
54. @ctrl/ngx-codemirror@7.0.1
55. @ctrl/ngx-codemirror@7.0.2
56. @ctrl/ngx-csv@6.0.1
57. @ctrl/ngx-csv@6.0.2
58. @ctrl/ngx-emoji-mart@9.2.1
59. @ctrl/ngx-emoji-mart@9.2.2
60. @ctrl/ngx-rightclick@4.0.1
61. @ctrl/ngx-rightclick@4.0.2
62. @ctrl/qbittorrent@9.7.1
63. @ctrl/qbittorrent@9.7.2
64. @ctrl/react-adsense@2.0.1
65. @ctrl/react-adsense@2.0.2
66. @ctrl/shared-torrent@6.3.1
67. @ctrl/shared-torrent@6.3.2
68. @ctrl/tinycolor@4.1.1
69. @ctrl/tinycolor@4.1.2
70. @ctrl/torrent-file@4.1.1
71. @ctrl/torrent-file@4.1.2
72. @ctrl/transmission@7.3.1
73. @ctrl/ts-base32@4.0.1
74. @ctrl/ts-base32@4.0.2
75. @hestjs/core@0.2.1
76. @hestjs/cqrs@0.1.6
77. @hestjs/demo@0.1.2
78. @hestjs/eslint-config@0.1.2
79. @hestjs/logger@0.1.6
80. @hestjs/scalar@0.1.7
81. @hestjs/validation@0.1.6
82. @nativescript-community/arraybuffers@1.1.6
83. @nativescript-community/arraybuffers@1.1.7
84. @nativescript-community/arraybuffers@1.1.8
85. @nativescript-community/gesturehandler@2.0.35
86. @nativescript-community/perms@3.0.5
87. @nativescript-community/perms@3.0.6
88. @nativescript-community/perms@3.0.7
89. @nativescript-community/perms@3.0.8
90. @nativescript-community/sentry@4.6.43
91. @nativescript-community/sqlite@3.5.2
92. @nativescript-community/sqlite@3.5.3
93. @nativescript-community/sqlite@3.5.4
94. @nativescript-community/sqlite@3.5.5
95. @nativescript-community/text@1.6.10
96. @nativescript-community/text@1.6.11
97. @nativescript-community/text@1.6.12
98. @nativescript-community/text@1.6.13
99. @nativescript-community/text@1.6.9
100. @nativescript-community/typeorm@0.2.30
101. @nativescript-community/typeorm@0.2.31
102. @nativescript-community/typeorm@0.2.32
103. @nativescript-community/typeorm@0.2.33
104. @nativescript-community/ui-collectionview@6.0.6
105. @nativescript-community/ui-document-picker@1.1.27
106. @nativescript-community/ui-document-picker@1.1.28
107. @nativescript-community/ui-drawer@0.1.30
108. @nativescript-community/ui-image@4.5.6
109. @nativescript-community/ui-label@1.3.35
110. @nativescript-community/ui-label@1.3.36
111. @nativescript-community/ui-label@1.3.37
112. @nativescript-community/ui-material-bottom-navigation@7.2.72
113. @nativescript-community/ui-material-bottom-navigation@7.2.73
114. @nativescript-community/ui-material-bottom-navigation@7.2.74
115. @nativescript-community/ui-material-bottom-navigation@7.2.75
116. @nativescript-community/ui-material-bottomsheet@7.2.72
117. @nativescript-community/ui-material-core-tabs@7.2.72
118. @nativescript-community/ui-material-core-tabs@7.2.73
119. @nativescript-community/ui-material-core-tabs@7.2.74
120. @nativescript-community/ui-material-core-tabs@7.2.75
121. @nativescript-community/ui-material-core-tabs@7.2.76
122. @nativescript-community/ui-material-core@7.2.72
123. @nativescript-community/ui-material-core@7.2.73
124. @nativescript-community/ui-material-core@7.2.74
125. @nativescript-community/ui-material-core@7.2.75
126. @nativescript-community/ui-material-core@7.2.76
127. @nativescript-community/ui-material-ripple@7.2.72
128. @nativescript-community/ui-material-ripple@7.2.73
129. @nativescript-community/ui-material-ripple@7.2.74
130. @nativescript-community/ui-material-ripple@7.2.75
131. @nativescript-community/ui-material-tabs@7.2.72
132. @nativescript-community/ui-material-tabs@7.2.73
133. @nativescript-community/ui-material-tabs@7.2.74
134. @nativescript-community/ui-material-tabs@7.2.75
135. @nativescript-community/ui-pager@14.1.36
136. @nativescript-community/ui-pager@14.1.37
137. @nativescript-community/ui-pager@14.1.38
138. @nativescript-community/ui-pulltorefresh@2.5.4
139. @nativescript-community/ui-pulltorefresh@2.5.5
140. @nativescript-community/ui-pulltorefresh@2.5.6
141. @nativescript-community/ui-pulltorefresh@2.5.7
142. @nexe/config-manager@0.1.1
143. @nexe/eslint-config@0.1.1
144. @nexe/logger@0.1.3
145. @nstudio/angular@20.0.4
146. @nstudio/angular@20.0.5
147. @nstudio/angular@20.0.6
148. @nstudio/focus@20.0.4
149. @nstudio/focus@20.0.5
150. @nstudio/focus@20.0.6
151. @nstudio/nativescript-checkbox@2.0.6
152. @nstudio/nativescript-checkbox@2.0.7
153. @nstudio/nativescript-checkbox@2.0.8
154. @nstudio/nativescript-checkbox@2.0.9
155. @nstudio/nativescript-loading-indicator@5.0.1
156. @nstudio/nativescript-loading-indicator@5.0.2
157. @nstudio/nativescript-loading-indicator@5.0.3
158. @nstudio/nativescript-loading-indicator@5.0.4
159. @nstudio/ui-collectionview@5.1.11
160. @nstudio/ui-collectionview@5.1.12
161. @nstudio/ui-collectionview@5.1.13
162. @nstudio/ui-collectionview@5.1.14
163. @nstudio/web-angular@20.0.4
164. @nstudio/web@20.0.4
165. @nstudio/xplat-utils@20.0.5
166. @nstudio/xplat-utils@20.0.6
167. @nstudio/xplat-utils@20.0.7
168. @nstudio/xplat@20.0.5
169. @nstudio/xplat@20.0.6
170. @nstudio/xplat@20.0.7
171. @operato/board@9.0.36
172. @operato/board@9.0.37
173. @operato/board@9.0.38
174. @operato/board@9.0.39
175. @operato/board@9.0.40
176. @operato/board@9.0.41
177. @operato/board@9.0.42
178. @operato/board@9.0.43
179. @operato/board@9.0.44
180. @operato/board@9.0.45
181. @operato/board@9.0.46
182. @operato/data-grist@9.0.29
183. @operato/data-grist@9.0.35
184. @operato/data-grist@9.0.36
185. @operato/data-grist@9.0.37
186. @operato/graphql@9.0.22
187. @operato/graphql@9.0.35
188. @operato/graphql@9.0.36
189. @operato/graphql@9.0.37
190. @operato/graphql@9.0.38
191. @operato/graphql@9.0.39
192. @operato/graphql@9.0.40
193. @operato/graphql@9.0.41
194. @operato/graphql@9.0.42
195. @operato/graphql@9.0.43
196. @operato/graphql@9.0.44
197. @operato/graphql@9.0.45
198. @operato/graphql@9.0.46
199. @operato/headroom@9.0.2
200. @operato/headroom@9.0.35
201. @operato/headroom@9.0.36
202. @operato/headroom@9.0.37
203. @operato/help@9.0.35
204. @operato/help@9.0.36
205. @operato/help@9.0.37
206. @operato/help@9.0.38
207. @operato/help@9.0.39
208. @operato/help@9.0.40
209. @operato/help@9.0.41
210. @operato/help@9.0.42
211. @operato/help@9.0.43
212. @operato/help@9.0.44
213. @operato/help@9.0.45
214. @operato/help@9.0.46
215. @operato/i18n@9.0.35
216. @operato/i18n@9.0.36
217. @operato/i18n@9.0.37
218. @operato/input@9.0.27
219. @operato/input@9.0.35
220. @operato/input@9.0.36
221. @operato/input@9.0.37
222. @operato/input@9.0.38
223. @operato/input@9.0.39
224. @operato/input@9.0.40
225. @operato/input@9.0.41
226. @operato/input@9.0.42
227. @operato/input@9.0.43
228. @operato/input@9.0.44
229. @operato/input@9.0.45
230. @operato/input@9.0.46
231. @operato/input@9.0.47
232. @operato/input@9.0.48
233. @operato/layout@9.0.35
234. @operato/layout@9.0.36
235. @operato/layout@9.0.37
236. @operato/popup@9.0.22
237. @operato/popup@9.0.35
238. @operato/popup@9.0.36
239. @operato/popup@9.0.37
240. @operato/popup@9.0.38
241. @operato/popup@9.0.39
242. @operato/popup@9.0.40
243. @operato/popup@9.0.41
244. @operato/popup@9.0.42
245. @operato/popup@9.0.43
246. @operato/popup@9.0.44
247. @operato/popup@9.0.45
248. @operato/popup@9.0.46
249. @operato/popup@9.0.49
250. @operato/pull-to-refresh@9.0.36
251. @operato/pull-to-refresh@9.0.37
252. @operato/pull-to-refresh@9.0.38
253. @operato/pull-to-refresh@9.0.39
254. @operato/pull-to-refresh@9.0.40
255. @operato/pull-to-refresh@9.0.41
256. @operato/pull-to-refresh@9.0.42
257. @operato/shell@9.0.22
258. @operato/shell@9.0.35
259. @operato/shell@9.0.36
260. @operato/shell@9.0.37
261. @operato/shell@9.0.38
262. @operato/shell@9.0.39
263. @operato/styles@9.0.2
264. @operato/styles@9.0.35
265. @operato/styles@9.0.36
266. @operato/styles@9.0.37
267. @operato/utils@9.0.22
268. @operato/utils@9.0.35
269. @operato/utils@9.0.36
270. @operato/utils@9.0.37
271. @operato/utils@9.0.38
272. @operato/utils@9.0.39
273. @operato/utils@9.0.40
274. @operato/utils@9.0.41
275. @operato/utils@9.0.42
276. @operato/utils@9.0.43
277. @operato/utils@9.0.44
278. @operato/utils@9.0.45
279. @operato/utils@9.0.46
280. @operato/utils@9.0.49
281. @teselagen/bio-parsers@0.4.30
282. @teselagen/bounce-loader@0.3.16
283. @teselagen/bounce-loader@0.3.17
284. @teselagen/file-utils@0.3.22
285. @teselagen/liquibase-tools@0.4.1
286. @teselagen/ove@0.7.40
287. @teselagen/range-utils@0.3.14
288. @teselagen/range-utils@0.3.15
289. @teselagen/react-list@0.8.19
290. @teselagen/react-list@0.8.20
291. @teselagen/react-table@6.10.19
292. @teselagen/react-table@6.10.20
293. @teselagen/react-table@6.10.22
294. @teselagen/sequence-utils@0.3.34
295. @teselagen/ui@0.9.10
296. @thangved/callback-window@1.1.4
297. @things-factory/attachment-base@9.0.43
298. @things-factory/attachment-base@9.0.44
299. @things-factory/attachment-base@9.0.45
300. @things-factory/attachment-base@9.0.46
301. @things-factory/attachment-base@9.0.47
302. @things-factory/attachment-base@9.0.48
303. @things-factory/attachment-base@9.0.49
304. @things-factory/attachment-base@9.0.50
305. @things-factory/auth-base@9.0.43
306. @things-factory/auth-base@9.0.44
307. @things-factory/auth-base@9.0.45
308. @things-factory/email-base@9.0.42
309. @things-factory/email-base@9.0.43
310. @things-factory/email-base@9.0.44
311. @things-factory/email-base@9.0.45
312. @things-factory/email-base@9.0.46
313. @things-factory/email-base@9.0.47
314. @things-factory/email-base@9.0.48
315. @things-factory/email-base@9.0.49
316. @things-factory/email-base@9.0.50
317. @things-factory/email-base@9.0.51
318. @things-factory/email-base@9.0.52
319. @things-factory/email-base@9.0.53
320. @things-factory/email-base@9.0.54
321. @things-factory/env@9.0.42
322. @things-factory/env@9.0.43
323. @things-factory/env@9.0.44
324. @things-factory/env@9.0.45
325. @things-factory/integration-base@9.0.43
326. @things-factory/integration-base@9.0.44
327. @things-factory/integration-base@9.0.45
328. @things-factory/integration-marketplace@9.0.43
329. @things-factory/integration-marketplace@9.0.44
330. @things-factory/integration-marketplace@9.0.45
331. @things-factory/shell@9.0.43
332. @things-factory/shell@9.0.44
333. @things-factory/shell@9.0.45
334. @tnf-dev/api@1.0.8
335. @tnf-dev/core@1.0.8
336. @tnf-dev/js@1.0.8
337. @tnf-dev/mui@1.0.8
338. @tnf-dev/react@1.0.8
339. @ui-ux-gang/devextreme-angular-rpk@24.1.7
340. @yoobic/design-system@6.5.17
341. @yoobic/jpeg-camera-es6@1.0.13
342. @yoobic/yobi@8.7.53
343. airchief@0.3.1
344. airpilot@0.8.8
345. angulartics2@14.1.1
346. angulartics2@14.1.2
347. browser-webdriver-downloader@3.0.8
348. capacitor-notificationhandler@0.0.2
349. capacitor-notificationhandler@0.0.3
350. capacitor-plugin-healthapp@0.0.2
351. capacitor-plugin-healthapp@0.0.3
352. capacitor-plugin-ihealth@1.1.8
353. capacitor-plugin-ihealth@1.1.9
354. capacitor-plugin-vonage@1.0.2
355. capacitor-plugin-vonage@1.0.3
356. capacitorandroidpermissions@0.0.4
357. capacitorandroidpermissions@0.0.5
358. config-cordova@0.8.5
359. cordova-plugin-voxeet2@1.0.24
360. cordova-voxeet@1.0.32
361. create-hest-app@0.1.9
362. db-evo@1.1.4
363. db-evo@1.1.5
364. devextreme-angular-rpk@21.2.8
365. ember-browser-services@5.0.2
366. ember-browser-services@5.0.3
367. ember-headless-form-yup@1.0.1
368. ember-headless-form@1.1.2
369. ember-headless-form@1.1.3
370. ember-headless-table@2.1.5
371. ember-headless-table@2.1.6
372. ember-url-hash-polyfill@1.0.12
373. ember-url-hash-polyfill@1.0.13
374. ember-velcro@2.2.1
375. ember-velcro@2.2.2
376. encounter-playground@0.0.2
377. encounter-playground@0.0.3
378. encounter-playground@0.0.4
379. encounter-playground@0.0.5
380. eslint-config-crowdstrike-node@4.0.3
381. eslint-config-crowdstrike-node@4.0.4
382. eslint-config-crowdstrike@11.0.2
383. eslint-config-crowdstrike@11.0.3
384. eslint-config-teselagen@6.1.7
385. eslint-config-teselagen@6.1.8
386. globalize-rpk@1.7.4
387. graphql-sequelize-teselagen@5.3.8
388. graphql-sequelize-teselagen@5.3.9
389. html-to-base64-image@1.0.2
390. json-rules-engine-simplified@0.2.1
391. json-rules-engine-simplified@0.2.4
392. jumpgate@0.0.2
393. koa2-swagger-ui@5.11.1
394. koa2-swagger-ui@5.11.2
395. mcfly-semantic-release@1.3.1
396. mcp-knowledge-base@0.0.2
397. mcp-knowledge-graph@1.2.1
398. mobioffice-cli@1.0.3
399. monorepo-next@13.0.1
400. monorepo-next@13.0.2
401. mstate-angular@0.4.4
402. mstate-cli@0.4.7
403. mstate-dev-react@1.1.1
404. mstate-react@1.6.5
405. ng2-file-upload@7.0.2
406. ng2-file-upload@7.0.3
407. ng2-file-upload@8.0.1
408. ng2-file-upload@8.0.2
409. ng2-file-upload@8.0.3
410. ng2-file-upload@9.0.1
411. ngx-bootstrap@18.1.4
412. ngx-bootstrap@19.0.3
413. ngx-bootstrap@19.0.4
414. ngx-bootstrap@20.0.3
415. ngx-bootstrap@20.0.4
416. ngx-bootstrap@20.0.5
417. ngx-color@10.0.1
418. ngx-color@10.0.2
419. ngx-toastr@19.0.1
420. ngx-toastr@19.0.2
421. ngx-trend@8.0.1
422. ngx-ws@1.1.5
423. ngx-ws@1.1.6
424. oradm-to-gql@35.0.14
425. oradm-to-gql@35.0.15
426. oradm-to-sqlz@1.1.2
427. ove-auto-annotate@0.0.10
428. ove-auto-annotate@0.0.9
429. pm2-gelf-json@1.0.4
430. pm2-gelf-json@1.0.5
431. printjs-rpk@1.6.1
432. react-complaint-image@0.0.32
433. react-complaint-image@0.0.35
434. react-jsonschema-form-conditionals@0.3.18
435. react-jsonschema-form-conditionals@0.3.21
436. react-jsonschema-form-extras@1.0.4
437. react-jsonschema-rxnt-extras@0.4.9
438. remark-preset-lint-crowdstrike@4.0.1
439. remark-preset-lint-crowdstrike@4.0.2
440. rxnt-authentication@0.0.3
441. rxnt-authentication@0.0.4
442. rxnt-authentication@0.0.5
443. rxnt-authentication@0.0.6
444. rxnt-healthchecks-nestjs@1.0.2
445. rxnt-healthchecks-nestjs@1.0.3
446. rxnt-healthchecks-nestjs@1.0.4
447. rxnt-healthchecks-nestjs@1.0.5
448. rxnt-kue@1.0.4
449. rxnt-kue@1.0.5
450. rxnt-kue@1.0.6
451. rxnt-kue@1.0.7
452. swc-plugin-component-annotate@1.9.1
453. swc-plugin-component-annotate@1.9.2
454. tbssnch@1.0.2
455. teselagen-interval-tree@1.1.2
456. tg-client-query-builder@2.14.4
457. tg-client-query-builder@2.14.5
458. tg-redbird@1.3.1
459. tg-redbird@1.3.2
460. tg-seq-gen@1.0.10
461. tg-seq-gen@1.0.9
462. thangved-react-grid@1.0.3
463. ts-gaussian@3.0.5
464. ts-gaussian@3.0.6
465. ts-imports@1.0.1
466. ts-imports@1.0.2
467. tvi-cli@0.1.5
468. ve-bamreader@0.2.6
469. ve-bamreader@0.2.7
470. ve-editor@1.0.1
471. ve-editor@1.0.2
472. verror-extra@6.0.1
473. voip-callkit@1.0.2
474. voip-callkit@1.0.3
475. wdio-web-reporter@0.1.3
476. yargs-help-output@5.0.3
477. yoo-styles@6.0.326

The attack surface is growing and we will continue updating this list.

Immediate Guidance#

• Uninstall or pin to known-good versions until patched releases are verified.
• Audit environments (CI/CD agents, developer laptops) that installed the affected versions for unauthorized publishes or credential theft.
• Rotate npm tokens and other exposed secrets if these packages were present on machines with publishing credentials.
• Monitor logs for unusual npm publish or package modification events.

A full technical analysis of the malware, its propagation method, and remediation guidance will follow as our investigation progresses.

Timeline#

All times are npm publishing times in 24-hour UTC.

September 14, 2025

17:58 first observed compromise

• rxnt-authentication@0.0.3 (17:58:50)
• json-rules-engine-simplified@0.2.1 (17:58:51)
• react-jsonschema-form-conditionals@0.3.18 (17:58:52)
• encounter-playground@0.0.2 (17:58:52)
• rxnt-healthchecks-nestjs@1.0.2 (17:58:53)
• rxnt-kue@1.0.4 (17:58:54)
• react-complaint-image (17:58:02) Hash for this batch: de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6

18:35 small burst

Hash: 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3

20:29–20:45 first large burst (25+ packages)

Hash: 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e

21:01–21:03 burst (~17 packages)

Hash: 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db

September 15, 2025

01:12 burst (~10 packages)

Hash unchanged from 21:01 group: 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db

02:11 new hash appears, reused across multiple bursts

Hash: dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c

Observed reuse at: 04:58, 05:21, 07:43, 08:21, 08:58, 09:16, 10:41, 13:14, and the next day at 07:41

Impact: more than 100 packages across these bursts (especially at 09:16 and 10:41)

15:35 new hash becomes active for the rest of the day

Hash: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

Bursts observed at: 19:52, 20:23, 22:35, 23:43

Impact: more than 50 packages

September 16, 2025

01:14 first batch of the day (CrowdStrike set)

Hash: b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777

Impact: largest single burst, nearly 100 packages

02:32 additional burst (~20 packages)

Hash: b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777

03:18 previous day’s hash returns

Hash: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

Impact: ~20 packages at 03:18, ~10 around 05:32, ~60 between 06:17 and 07:11 (many under @operato)

07:41 earlier hash from the 15th reappears

Hash: dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c

Impact: additional handful of packages

10:57–11:09 more @operato packages

Hash: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

Indicators of Compromise#

• bundle.js SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
• Exfiltration endpoint: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
• de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6
• 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3
• 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e
• 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db
• dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c
• 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
• b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777