CVE-2019-15107

In September 2017, Cisco Talos revealed that CCleaner, a hugely popular Windows cleanup tool from Piriform (newly acquired by Avast), had been shipping a backdoor. Attackers had compromised Piriform's build environment and inserted malicious code into the official, validly code-signed installer, so version 5.33 distributed through Piriform's own channels carried the malware to about 2.27 million users for roughly a month before anyone noticed. The first stage merely profiled machines, but it was a sniper rather than a shotgun: from the millions of installs it served a second stage to only a few dozen selected computers at companies like Google, Microsoft, Cisco, Intel, and Samsung, and a still deeper espionage tool (the ShadowPad backdoor) was later found planted on Piriform's own internal machines. The attack is linked to the China-nexus group tracked as APT17 / Axiom. It is the lesson that a trusted update channel and a valid signature are not the same as trustworthy code, and that build pipelines are prime targets.

Shai-Hulud is the nightmare the npm ecosystem had long feared: a self-replicating worm. First seen in September 2025 and back in a more aggressive wave around 21-24 November 2025 ("The Second Coming"), it does not just poison one package and wait. When its malware runs in a developer's environment, it harvests every secret it can find, npm tokens, GitHub tokens, cloud keys, then uses those stolen npm tokens to automatically publish itself into other packages the victim maintains, spreading from maintainer to maintainer on its own. The second wave hit more than 25,000 GitHub repositories across roughly 500 compromised accounts, leaked the stolen secrets into public repos, and, if it failed to steal credentials, tried to wipe the victim's home directory. It is the moment supply-chain malware learned to propagate like a biological infection.

Shai-Hulud, in September 2025, was the moment the npm ecosystem's worst fear came true: a worm that spreads by itself. It began with a wave of compromised packages, the most prominent being @ctrl/tinycolor (over two million weekly downloads), and from there it did something no npm attack had done before. When its malware ran on a developer's machine, it hunted for every credential it could find, then used the developer's own npm token to republish itself into all of their other packages automatically, with no attacker involvement, jumping from maintainer to maintainer like an infection. More than 500 packages were compromised, including some from CrowdStrike. It is the first true npm worm, and the template for the even more aggressive Shai-Hulud 2.0 that followed weeks later.

On 8 September 2025, the largest npm supply-chain attack ever by sheer reach hit foundational packages, chalk, debug, ansi-styles, strip-ansi, and 14 more, that together are downloaded over 2 billion times a week. The cause was a single phishing email. A respected maintainer was tricked by a fake "your npm 2FA is expiring" message into handing over his account, and the attackers published poisoned versions of his ultra-popular libraries. The payload was a crypto clipper: browser code that silently swapped any cryptocurrency address a user was sending to with the attacker's. Automated scanners flagged the poisoned versions within minutes and they were pulled within about two hours, and the actual theft came to roughly a thousand dollars, the one piece of good news in an attack that sat, briefly, under nearly the entire JavaScript ecosystem.

On August 26, 2025, attackers exploited a vulnerable GitHub Actions workflow (added Aug 21) susceptible to code injection via a crafted pull-request title to steal Nx's npm publishing token, then published malicious versions of nx (21.5.0, 20.9.0 and others) and several @nx plugins. The malware scanned the filesystem, collected credentials, npm/GitHub tokens, SSH keys and cryptocurrency wallets, and posted them to public GitHub repositories under victim accounts. Dubbed 's1ngularity', it was the first known supply chain attack to weaponize installed AI CLI tools (Claude, Gemini, q) for reconnaissance. The packages were live for about four hours and thousands of secrets were leaked.

Starting June 6, 2025, a threat actor used a leaked npm access token belonging to a maintainer without 2FA to publish malicious versions of 16-17 React Native Aria and gluestack-ui packages with over 1 million combined weekly downloads. The packages were backdoored with obfuscated Remote Access Trojan (RAT) code hidden using whitespace obfuscation, establishing command-and-control infrastructure and persistence on compromised systems. The same payload was tied to a broader campaign also hitting PyPI; end-user impact was limited by the frontend nature of the libraries and a response within 48 hours.