Static secrets in npm supply chains: what should teams change now?

TL;DR: Shai-Hulud spread through the npm ecosystem by harvesting static secrets from infected packages, then using stolen GitHub, npm, and cloud credentials to propagate further, according to Defakto Security. The incident shows that key rotation alone cannot contain a worm when permanent credentials still carry standing privilege and broad blast radius.

NHIMG editorial — based on content published by Defakto Security: Shai-Hulud npm supply chain attack analysis

By the numbers:

• Early reporting from Wiz, Sonatype, and Krebs put the number of infected packages around 180 to 200.
• Some outlets now put the total above 300, including CrowdStrike-maintained packages.
• Shai-Hulud compromised 300+ npm packages in days.

Questions worth separating out

Q: What breaks when static secrets are used in npm and CI/CD pipelines?

A: Static secrets break because they can be copied, reused, and replayed long after the original job completes.

Q: Why do static tokens increase lateral movement risk in software supply chains?

A: Static tokens increase lateral movement risk because they often authenticate across multiple tools, repositories, and cloud services.

Q: How do security teams know whether secret rotation is actually working?

A: Rotation is working only if stolen credentials become unusable quickly enough to prevent reuse.

Practitioner guidance

• Inventory every reusable credential in build and publish paths Map GitHub, npm, cloud, and CI/CD secrets to the jobs and repositories that can actually use them.
• Replace long-lived publish tokens with ephemeral workload identity Use runtime-issued identities for package publishing, deployment, and automation wherever the platform allows it.
• Separate secret scope from repository scope Do not allow one token to authenticate across multiple applications, packages, or tenants.

What's in the full article

Defakto Security's full article covers the operational detail this post intentionally leaves for the source:

• Package-by-package breakdown of how the worm moved through npm dependencies and post-install scripts
• Examples of the specific secret types the worm harvested, including GitHub, npm, Atlassian, and cloud credentials
• Discussion of why key rotation workflows add overhead without removing the underlying secret persistence problem
• Defakto's runtime identity approach for workloads and pipelines, including how ephemeral identities are issued and expired

👉 Read Defakto Security's analysis of the Shai-Hulud npm supply chain worm →

Static secrets in npm supply chains: what should teams change now?

Explore further

View Full Forum →  |  NHI Foundation Course →