MAL-2025-47450
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hello-shai/MAL-2025-47450.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/MAL-2025-47450
- Published
- 2025-09-18T04:34:17Z
- Modified
- 2025-09-18T04:34:17Z
- Summary
- Malicious code in hello-shai (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (297f2a57d1c225e18d8464c2024daef4567955be0eb8cd8d45052aa778fb4f3a)
This package was compromised by the Shai-Hulud NPM worm. The malicious payload steals tokens and credentials and publishes them to GitHub before propogating itself to NPM packages the user owns.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2025-09-18T04:34:17Z", "sha256": "297f2a57d1c225e18d8464c2024daef4567955be0eb8cd8d45052aa778fb4f3a", "versions": [ "1.0.1" ], "import_time": "2025-09-18T04:34:27.306675Z", "source": "google-open-source-security" } ] }- References
-
- https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
- https://semgrep.dev/blog/2025/security-advisory-npm-packages-using-secret-scanning-tools-to-steal-credentials/
- https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
- https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised
- https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
Affected packages
npm / hello-shai
Package
- Name
- hello-shai
- View open source insights on deps.dev
- Purl
- pkg:npm/hello-shai