Cybersecurity researchers have uncovered a fresh software supply chain attack involving more than 320 malicious npm packages linked to the “Shai-Hulud” campaign, according to a new report.
The attack targeted the widely used npm ecosystem, which developers rely on for JavaScript packages and open-source software dependencies. Researchers stated that the malicious packages were designed to compromise developer environments and potentially steal sensitive information.
According to the report, the newly discovered campaign follows earlier Shai-Hulud-related attacks that similarly attempted to infiltrate software supply chains by distributing harmful code through trusted package repositories.
Security analysts said the malicious packages contained scripts capable of downloading additional payloads, executing remote commands, and collecting data from infected systems. The campaign reportedly focused on compromising developer credentials and access tokens that could later be used for broader attacks.
Researchers noted that supply chain attacks have become increasingly common because attackers can impact large numbers of downstream users by compromising a single dependency or software package.
The report stated that many of the malicious npm packages were disguised as legitimate utilities or developer tools, making them difficult to identify at first glance. Some packages reportedly mimicked the names of trusted libraries to trick developers into downloading them.
Cybersecurity experts warned that developers and organizations should carefully audit dependencies, monitor package activity, and implement stricter verification practices when using open-source software repositories.
The article also highlighted the growing concern around software supply chain security as attackers increasingly target open-source ecosystems that power modern applications and enterprise systems.
Researchers urged users to immediately remove any identified malicious packages, rotate exposed credentials, and review systems for signs of compromise following the discovery of the campaign.
