Massive Supply Chain Attack 'Shai-Hulud' Compromises 500 npm Packages, Stealing Credentials

Breaking news: Massive 'Shai-Hulud' supply chain attack compromises nearly 500 npm packages, stealing credentials and spreading through modified packages, requiring developers to uninstall affected versions, rotate secrets, and monitor for suspicious activity.

• An ongoing supply chain attack called 'Shai-Hulud' has compromised nearly 500 npm packages, including packages from CrowdStrike.
• The malware steals credentials, creates unauthorized GitHub Actions workflows to exfiltrate data, and self-propagates by modifying and republishing affected packages.
• Developers are advised to uninstall or pin affected package versions, audit environments, rotate exposed secrets, and monitor logs for unusual activity.