Select your country

Belgium

China

Denmark

France

Germany

Global

Maghreb & West Africa

Netherlands

Norway

South Africa

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Sweden
  2. Kunskap
  3. Nyheter
  4. World watch: JavaScript libraries impacted

World watch: JavaScript libraries impacted

Nyheter

Share

Recently there have been two attacks impacting JavaScript libraries:

Shai-Hulud compromises 500+ JavaScript libraries

In early October 2025, the sophisticated JavaScript worm Shai-Hulud compromised more than 700 JavaScript packages, some of which were downloaded millions of times per week. As a reminderShai-Hulud is a worm bundled within compromised JavaScript packages that uses TruffleHog to detect secrets in development environments, before exfiltrating data to GitHub.

On November 24, 2025, a second wave of presumed Shai-Hulud-related infections was observed by several vendors including Wiz.ioVeracodeSocket.dev and Aikido.dev. Currently, over 28,000 repositories seem to be affected on GitHub. These repositories are associated with the compromise of over 500 packages, including major ones such as Zapier, PostHog or Postman.

The threat level of this advisory has been raised to 4 out of 5.

What You Should Do

Wiz has provided guidance on mitigation and detection of this threat, advising:

  • Removing and replacing compromised packages
  • Rotating all credentials
  • Auditing GitHub and CI/CD environments
  • Hardening pipelines

187 JavaScript libraries impacted by massive "worming" NPM supply chain attack

The NPM ecosystem is once again facing a critical supply chain attack. Cybersecurity researchers from Socket and Aikido have reported that a sophisticated worm, nicknamed “Shai-Hulud”, has been infecting numerous NPM packages and compromising the GitHub accounts of affected maintainers. Initially, 40 packages had been compromised, including @ctrl/tinycolor which is downloaded 2M times a week, but at least 147 additional ones have been impacted, including packages maintained by CrowdStrike.

Shai-Hulud amplifies its impact on GitHub by traversing all repositories accessible through the compromised account. It steals tokens, API keys, and other sensitive information while replicating itself automatically within the supply chain, triggering new exfiltrations. As a result, it will likely compromise new packages in the future.

This incident is part of a recent wave of attacks targeting developers. Unfortunately, the scale of this attack is huge: the compromised packages account for millions of weekly downloads. The potential impact extends to a massive number of developers and applications. Therefore, we classify this alert as level 3 out of 5.

What You Should Do

We recommend you check whether your CI/CD pipelines do not blindly upgrade your environment to any of the affected packaged versions. To check whether compromised packages have been installed, tools such as the ripgrep search utility can be used (or "npm audit").

TruffleHog can be used to check whether secrets are exposed in your code. Also, private repositories may have been made public, and need to be secured again if impacted.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.