This page summarises the SHA1-Hulud supply chain attack, which involved malicious npm packages containing hidden preinstall scripts. Installing these packages allowed attackers to take control of developer machines and CI runners, inject malicious GitHub workflows, and exfiltrate secrets from GitHub, npm, and major cloud providers. Some compromised developer data was also uploaded to attacker-controlled repositories.
You can use this list to identify compromised versions and take remediation actions.
For more details, please view our public blog post: “Zero-day Extensive NPM Package Compromise – Shai-Hulud Supply Chain Attack.”
Packages affected by zero-day vulnerabilities
Showing 30 of 200 • Page 1 of 7
- C
- C
- C
Embedded Malicious Code in @art-ws/common (npm)- C
- C
Embedded Malicious Code in @art-ws/config-ts (npm)- C
- C
Embedded Malicious Code in @art-ws/di (npm)- C
Embedded Malicious Code in @art-ws/di-node (npm)- C
Embedded Malicious Code in @art-ws/eslint (npm)- C
- C
- C
Embedded Malicious Code in @art-ws/openapi (npm)- C
- C
Embedded Malicious Code in @art-ws/prettier (npm)- C
Embedded Malicious Code in @art-ws/slf (npm)- C
Embedded Malicious Code in @art-ws/ssl-info (npm)- C
Embedded Malicious Code in @art-ws/web-app (npm)- C
- C
- C
- C
- C
- C
- C
- C
- C
- C
- C
Embedded Malicious Code in @ctrl/deluge (npm)- C
- C
Embedded Malicious Code in @ctrl/magnet-link (npm)
Page 1 of 7