npm supply chain attacks: what identity teams need to act on

TL;DR: A malware campaign targeting more than 50 npm packages used injected scripts to republish packages, steal developer secrets such as GitHub, npm, and cloud credentials, and exfiltrate data to a public repository, according to Orca Security. Package compromise now turns routine dependency installs into secret-harvesting events that identity and security teams must treat as credential exposure, not just code tampering.

NHIMG editorial — based on content published by Orca Security: LLMjacking style supply chain attack analysis of npm package compromise and secret theft

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: What breaks when a malicious npm package can read developer secrets during install?

A: The main failure is that package execution inherits identity context it should never need.

Q: Why do npm supply chain attacks create such a large IAM risk?

A: Because npm, GitHub, and cloud credentials often coexist in the same developer and build environments.

Q: How do security teams know if package compromise has become a secret exposure event?

A: They look for install-time script execution, unexpected package republishing, workflow files added to repositories, and any evidence that credentials were present in the affected environment.

Practitioner guidance

• Inventory every dependency and transitive package Maintain an up-to-date software bill of materials and know which versions are installed in CI, developer workstations, and production build images.
• Separate package publishing from secret-bearing workflows Remove npm tokens, GitHub tokens, and cloud keys from environments that only need to build or test.
• Rotate exposed secrets as a containment step, not a cleanup task Assume any token or key accessible during the infected install may have been harvested, then revoke and replace it immediately.

What's in the full analysis

Orca Security's full research covers the operational detail this post intentionally leaves for the source:

• The package-by-package infection list, including versions and maintainer scope, for teams validating exposure.
• The exact malicious file and workflow artefacts used for persistence and exfiltration in affected repositories.
• The concrete containment commands and cleanup sequence Orca Security recommends for infected environments.
• The platform-specific guidance on finding exposed secrets and suspicious cloud activity after dependency compromise.

👉 Read Orca Security's analysis of the Shai-Hulud npm supply chain attack →

npm supply chain attacks: what identity teams need to act on?

Explore further

View Full Forum →  |  NHI Foundation Course →