Kaspersky Threat Research has conducted an analysis of the Shai-Hulud worm's patient zero package, providing insights into how the self-replicating malware launched its widespread supply chain attack on the npm ecosystem. According to the latest Kaspersky research, the Shai-Hulud worm infected 190 unique packages across 530 total package versions, indicating that many packages had multiple compromised versions published during the attack.
The Shai-Hulud worm, a self-replicating malware first disclosed on 15 September 2025, spreads automatically through developer accounts by stealing authentication tokens and publishing infected versions of legitimate packages. While the attack's impact has been widely documented, Kaspersky's analysis reveals technical details about the initial infection mechanics and the worm's sophisticated spreading methods.
"Our analysis provides critical intelligence about how this supply chain attack operated and the true scope of repository exposure," said Vladimir Gurskiy, malware analyst at Kaspersky Threat Research. "The worm's systematic migration of private repositories from organisations to individual accounts represents a significant escalation in supply chain threats, potentially exposing years of proprietary development work. This research reinforces why we maintain the Kaspersky Open Source Software Threats Data Feed — organisations need real-time intelligence about compromised packages to protect their development pipelines from exactly these types of sophisticated attacks."
Kaspersky's research confirms that ngx-bootstrap version 18.1.4 served as the patient zero package and explains the technical methodology for this determination. Researchers identified a crucial distinguishing characteristic: while all subsequent infected packages executed malicious code through post-installation scripts, the patient zero package uniquely used a pre-installation command, revealing it as the starting point rather than a victim of automated spreading.
The worm contains functionality specifically designed to compromise private organisational repositories on GitHub. Beyond stealing authentication tokens, it automatically migrates private and internal repositories from GitHub organisations into user accounts, effectively making confidential corporate code publicly accessible and exposing entire proprietary codebases.
Kaspersky solutions identify the malware as HEUR:Worm.Script.Shulud.gen. Organisations can check for infection by searching for "shai-hulud" branches in their GitHub repositories or the presence of shai-hulud-workflow.yml files.
Read more details on Securelist.
Kaspersky had previously warned about the growing trend of supply chain attacks targeting open-source ecosystems. The company's security researchers identified malicious module creation as an increasingly popular attack vector among threat actors.
To stay protected against such threats, Kaspersky advises the following:
- Proactively monitor your dependencies. Utilising Kaspersky Open Source Software Threats Data Feed helps with this. This feed is designed to help organisations proactively defend against supply chain attacks by providing real-time intelligence on malicious activity targeting open-source platforms.
- Protect personal devices with strong cybersecurity solutions, such as Kaspersky Premium, which provides multi-layered protection to prevent and neutralise supply chain malware infections that target authentication tokens and credentials stored on your devices.
- Secure Linux development environments. Kaspersky for Linux helps protect build servers and CI/CD pipelines where npm packages are installed and executed, preventing self-spreading worms from compromising your entire development infrastructure.
- Deploy a corporate cybersecurity solution, such as from the Kaspersky Next product line, to defend against diverse cybersecurity threats across organisations of any size and industry, delivering comprehensive real-time protection alongside advanced threat visibility and investigation capabilities.
