Key Points
- Two major npm-focused campaigns identified as part of broader threat landscape: July "account maintenance" and September "2FA security update" operations
- These npm campaigns represent escalation in targeting critical development infrastructure using open source
- September 14, 2025: "Shai-Hulud" self-replicating worm deployment linked to harvested credentials
- Worm infiltrated 180+ npm packages through autonomous replication, demonstrating evolution from credential theft to supply chain malware
Campaign Overview
The Mimecast Threat Research team has been actively monitoring a multi-stage attack campaign targeting the npm ecosystem since July 2025. Our research reveals a progression from credential harvesting phishing attacks to the "Shai-Hulud" supply chain compromise that occurred on September 14, 2025. Through continuous threat monitoring, we identified two major phishing campaigns that directly preceded large scale npm package compromises.
Mimecast-Tracked Campaign Timeline
July 2025 - Account Maintenance Campaign The first identified npm-targeted phishing activity took place in July 2025, utilizing "account maintenance" social engineering lures. These campaigns directed developers to typosquatted domains that mimicked npm's legitimate infrastructure, targeting package maintainers with urgent account maintenance notifications.
- Lure Used: Account maintenance and verification requirements
- Delivery Method: Phishing emails impersonating official npm communications
- Objective: Credential harvesting targeting high-value maintainer accounts
- Infrastructure: Typosquatted domains including npnjs.com
Please click here to read the entire article. We welcome your questions; please ask them by posting a comment below.
Dimakatso Makinta
