Self-Replicating Worm Hits 180+ Software Packages

A self‑propagating supply‑chain malware strain called "Shai‑Hulud" has infected numerous NPM packages: it locates npm/GitHub tokens and other credentials on compromised developer machines (Linux/macOS), injects itself into the top ~20 packages accessible to the token, and publishes harvested secrets to new public GitHub repositories named with "Shai‑Hulud." The worm leverages TruffleHog for reconnaissance, can enumerate cloud (AWS/Azure/GCP) secrets, briefly impacted code packages (including some tied to CrowdStrike), and has prompted rapid removals, key rotations, and calls for stronger publication 2FA and human consent controls on package registries.