Regtech firm SlowMist noted that recently, the NPM ecosystem has experienced another large-scale package poisoning incident. For context, the so-called NPM ecosystem is the vast, interconnected system of the Node Package Manager (npm), which includes the “online registry of software packages and the command-line interface (CLI) developers use to manage them.”
It allows devs to discover, install, and share reusable code modules, “forming the foundation for a large portion of JavaScript and TypeScript development by automating dependency management and code sharing.”
This ecosystem’s strength is also its “vulnerability, as a compromise in one package can have a widespread impact on many other projects.”
As noted by SlowMist, this event is highly related to the Shai-Hulud attack that occurred in Sept 2025. The malicious code embedded in the compromised NPM packages was reportedly “designed to steal sensitive information, including developer keys, API keys, and environment variables.”
Using the stolen credentials, the attacker had reportedly created “public repositories and uploaded the exfiltrated data.”
SlowMist’s independently developed Web3 threat-intelligence and real-time security monitoring platform, MistEye, responded “immediately and swiftly pushed relevant threat intelligence to provide critical security protection for our clients.”
SlowMist went on to describe a credential theft:
- AWS: The malicious script implements two functions — runSecrets() and listAndRetrieveAllSecrets(). The runSecrets() function iterates through all discoverable cloud access credentials and all possible regions to maximize the scanning scope.
- The listAndRetrieveAllSecrets() function then performs “deep enumeration” within the specified credentials and region, listing all Secrets and retrieving their most recent plaintext values.
- By combining these two functions, the attacker is able to extract all accessible SecretString and SecretBinary values from the victim’s AWS account in a single sweep.
In the process of stealing sensitive information, the malicious “script also abuses legitimate security tools against the victim.”
As noted in the report:
“The malicious script implements an updatePackage() function that is used to perform NPM supply-chain propagation. Using the stolen NPM token, it first downloads the source code of legitimate NPM packages for which the victim holds publish permissions. It then modifies the package.json file by injecting a malicious preinstall script command into the scripts field, and inserts the malicious payload into the package. The package version number is automatically incremented by one to trigger users’ automatic updates, after which the compromised package containing the malicious script is published to the official NPM registry.”
The report from SlowMist concluded:
“This NPM repository poisoning incident combines worm‑like propagation with long‑term persistence via self‑hosted runners, and further leverages TruffleHog as part of the attack chain. The SlowMist security team recommends that developers adopt strict dependency version‑locking strategies when building and releasing new iterations. If a dependency requires security or functional updates, it should be upgraded only through an internal, rigorous security review process, and the locked versions should be updated accordingly to avoid introducing new risks through blind updates.”
