The npm Threat Landscape: Attack Surface and Mitigations

Unit 42 documents a high-impact, wormable npm supply-chain campaign (Shai-Hulud) that impersonated legitimate packages (e.g., @bitwarden/[email protected]) to install a Bun-based payload which harvests npm/GitHub tokens and cloud secrets, exfiltrates data via an encrypted C2 and staged GitHub repos, and self-propagates by backdooring packages and injecting malicious preinstall hooks; the report provides technical analysis, IoCs (domains, IPs, hashes, GitHub artifacts), attribution to TeamPCP, and detailed mitigation guidance.