TwinTech Solutions CrowdStrike npm Packages Compromised in Supply Chain Attack

Introduction:

Supply chain attacks remain one of the most dangerous threats in today’s open-source ecosystem. The latest affected vendor is CrowdStrike, a leading cybersecurity company, whose npm packages were compromised as part of the ongoing “Shai-Halud” campaign. This attack follows a similar pattern to the previous compromise of the popular Tinycolor package, demonstrating the persistence and adaptability of these threat actors.

Attack Happened:

The malicious activity originated from the crowdstrike-publisher npm account, which was used to publish compromised versions of several CrowdStrike npm packages. The attackers injected a malicious bundle.js script into the packages. Once executed, the script launched a multi-stage attack chain designed to steal sensitive credentials and establish persistence within victim environments. For Example: Deploys TruffleHog( which is steal the sensitive tokens from developer), Once discovered, these secrets are validated to ensure they are active. The malware then creates unauthorized GitHub Actions workflows in compromised repositories, enabling the attackers to maintain access and automate further malicious activities.

Upcoming Events

Description

Scaling a product is exciting—until privacy and compliance suddenly block your next funding round or enterprise deal.

Know More

Ongoing npm Supply Chain Attack:

Multiple CrowdStrike npm packages were compromised, marking a continuation of the Shai-Halud
supply chain campaign, which previously affected Tinycolor and more than 40 other packages. The
affected packages were quickly removed by the npm registry. Some of the impacted packages include:

@crowdstrike/commitlint
@crowdstrike/glide-core
@crowdstrike/logscale-dashboard
@eslint-config-crowdstrike

Indicators of Compromise (IoCs) :-

Exfiltration endpoint: https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

SHA-256 hash of malicious bundle.js:
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09

CrowdStrike’s Response and Recommendations:

A CrowdStrike spokesperson told Cybersecurity news, After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries. These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”

Organizations are strongly advised to conduct thorough audits of CI/CD pipelines, developer laptops, and any other environments where the malicious packages may have been installed.

Any npm tokens or other secrets exposed on these systems should be rotated immediately. Furthermore, continuous monitoring of logs for unusual npm publish events or unauthorized package modifications is crucial to detect any follow-on activity.

Why this Matters:

This attacking scenario highlights the fragility of software supply chains and the critical importance of verifying the integrity of third-party dependencies, It demonstrates that trust in widely used development tools must always be balanced with rigorous security oversight.

Conclusion:

The supply chain attack reminder of the hidden risks within the software we use every day. Even a single dependency, if compromised, can create serious security issues. Protecting against these types of threats requires close attention to the tools and packages we rely on, timely rotation of credentials, and making supply chain security a routine part of development practices.