Detections
Analytics

Multiple Node.js Modules compromised in supply chain attack to harvest credentials (Shai-Hulud) (09/15/2025)

critical Nessus Plugin ID 265897

Language:

Synopsis

The remote host has a compromised Node.js module installed.

Description

The remote host has a version of one or more Node.js modules installed known to be compromised in a supply chain attack (Shai-Hulud). The modules that are vulnerable are referenced here

 - https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages.

A malicious update to these modules introduced credential harvesting that is then exfiltrated. It will then attempt to propagate to other packages that the maintainer controls.

The list of vulnerable Node.js packages this plugin checks for is up to date as of 09/23/25. However, the impact of this vulnerability is evolving and the list may become outdated if further vulnerable packages are discovered

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected node modules to a version higher than the known compromised versions.

See Also

http://www.nessus.org/u?27b87ee3

Plugin Details

Severity: Critical

ID: 265897

File Name: npm_supply_chain_attack_shai_hulud.nasl

Version: 1.3

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 9/25/2025

Updated: 9/29/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: Host/nodejs/modules/enumerated

Patch Publication Date: 9/15/2025

Vulnerability Publication Date: 9/15/2025