Following our recent update regarding the NPM Supply Chain Trio - Qix, CrowdStrike, Shai-Hulud, we have continued our threat-focused hunting efforts, specifically reviewing IOC hits and related TTPs.
Axon reports have been published for Team Axon customers. These reports include:
- A consolidated list of IOCs - Hunting queries - TP results for relevant environments
Any findings requiring your attention are highlighted in your Axon report.
We will continue to closely monitor developments related to the NPM Supply Chain Trio - Qix, CrowdStrike, Shai-Hulud, and provide updates as necessary. If you have any questions or need further assistance, please do not hesitate to reach out.
Best regards, Team Axon
Posted Sep 18, 2025 - 13:12 UTC
Identified
Dear Customers,
Team Axon is closely tracking multiple ongoing NPM supply chain compromises that have impacted widely used packages and present a significant risk across enterprise environments. These incidents highlight the growing threat of dependency hijacking and malicious package injection.
Qix Compromise: Attackers phished the account of a maintainer (Qix), allowing them to publish malicious versions of highly popular packages such as chalk and debug. The injected payload was designed to hijack cryptocurrency transactions in browser contexts.
CrowdStrike Compromise: Malicious versions of several NPM packages, including eslint-config-prettier, were distributed after attacker access. These carried the Scavenger malware, capable of exfiltrating browser data, authentication tokens, and other sensitive information.
Shai-Hulud Worm: A self-propagating campaign compromised more than 180 NPM packages. This worm steals secrets and tokens (e.g., GitHub, AWS, NPM) and republishes new infected package versions under compromised maintainer accounts, enabling rapid spread.
These compromises expose organizations to: - Theft of source code, tokens, and credentials stored in build pipelines. - Execution of malicious code during package installation or runtime. - Propagation of malicious dependencies downstream, impacting customers and partners. - Increased phishing and credential-stuffing risks tied to stolen data.
Our team continues to investigate the scope and technical details of this campaign. In case we observe strong indications for compromised users, we will contact the customer directly.