better than all

NPM Supply Chain Attack 2025: The “Shai-Hulud” Incident and Threat Hunting with Intelon.io

Written by

Christian Papel

In September 2025, a large-scale supply chain attack was discovered within the NPM ecosystem, tracked under the codename “Shai-Hulud.”
The attack began when several popular JavaScript package maintainer accounts were compromised, allowing the attackers to inject malicious versions into hundreds of packages.
These trojanized versions exfiltrated API keys, tokens, and wallet addresses from developer systems during installation and transmitted them to remote servers.

Below, we detail the technical aspects of the incident and how Intelon.io can be used to detect and monitor related indicators of compromise (IoCs).

1. Technical Summary of the Attack

  • Attackers compromised NPM maintainer accounts through phishing and social engineering.
  • From those accounts, they published new package versions containing malicious postinstall scripts.
  • During installation, these scripts collected data such as API keys, .npmrc contents, environment variables, and cryptocurrency wallet addresses.
  • The stolen information was exfiltrated via HTTP POST requests to attacker-controlled Command & Control (C2) servers.

Unlike conventional malware, this mechanism spread through the supply chain, meaning that simply installing a compromised package could result in infection.

2. Finding Attack Indicators (IoCs) with Intelon.io

Intelon.io is an OSINT search engine capable of aggregating data from leaked databases, darknet forums, and public paste sites.
Within the context of the NPM attack, threat indicators can be identified using domains, IP addresses, or email addresses involved in the compromise.

TypeExamplePurpose
Domainmalicious-npm-update[.]comDetect C2 domains used by infected packages
IP Address45.155.205.32Identify servers managing malicious postinstall traffic
Email Addresssupport@npmjs-security.comDetect fake support or phishing accounts
URLhttp://update-npmjs.com/loginIdentify phishing or token harvesting sites
Bitcoin/Ethereum0xabc123…Track attacker wallets or campaign payments

3. Filtering: Choosing the Right Data Sources in Intelon.io

To find leaked tokens, credentials, or compromised developer accounts, focus on these key data sources:

  • Leaks Stealers – Contains credentials and tokens collected from infected systems.
  • Leaks Combo – Aggregates previously leaked credentials from multiple datasets.
  • Pastes – May include accidentally uploaded .npmrc, package.json, or tokens.
  • DNS Records – Helps identify infrastructure relations between malicious domains and IPs.
  • Darknet Leaks / Offshore Leaks – Surfaces discussions or indicators shared on underground forums.

4. Example Intelon.io Searches

a) Domain-based search

Query: malicious-npm-update.com
Using “Leaks Stealers” + “DNS Records” filters may reveal credential data associated with this domain.

b) IP-based search

Query: 45.155.205.32
With the “Darknet Leaks” filter, this IP could appear in historical posts tied to a known C2 infrastructure.

c) Email-based search

Query: npmjs-security@proton.me
“Leaks” or “Pastes” filters can show its use as a fake support address in phishing operations.

d) Bitcoin address search

Query: bc1q8xjz5…
Using “Offshore Leaks”, you can trace multiple payments to the same wallet across campaigns.

5. Intelon.io Use Cases for Internal Threat Detection

Scenario 1 — Detecting Compromised Developer Accounts

  1. Search your organization’s domain: example.com
  2. Enable Leaks Stealers + Leaks Combo filters.
  3. If developer emails appear with values like npm_token= or github_token=, immediately rotate all exposed tokens.

Scenario 2 — Tracking Malicious Domains or IPs

  1. Query domain indicators (e.g., npm-update-server.com) associated with the campaign.
  2. Use DNS Records to see resolved IP addresses.
  3. Add these IPs to your firewall or EDR blocklists.

Scenario 3 — Darknet Monitoring for Project Names

  1. Search your internal project name as a domain format (e.g., internal-api.example.com).
  2. With Darknet Leaks enabled, identify any exposed API endpoints or internal code references.

6. Conclusion & Recommendations

The NPM “Shai-Hulud” incident demonstrated that the open-source ecosystem’s greatest strength collaboration  can also be its weakest link.
Organizations must secure not only their own code but also their dependencies and developer identities.

Intelon.io strengthens this effort by providing:

  • Real-time monitoring of leaked or stolen data
  • Threat detection across domains, IPs, wallets, and email addresses
  • Filtered, reportable search results for rapid incident response

A single npm install command can compromise an entire network if the supply chain isn’t secure.
That’s why maintaining strict dependency hygiene and leveraging OSINT visibility tools like Intelon.io are critical to seeing and stopping what others can’t.

Date: