THE npm threat landscape reached a critical inflection point in September 2025 with the Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages. Since then, Unit 42 has tracked an acceleration in both frequency and technical depth of supply chain compromises, with campaigns expanding from typosquatting to weaponising trusted developer tooling across multiple channels.
The report highlights three shifts in adversary tactics: wormable propagation that seeks to harvest npm tokens and GitHub PATs to infect and republish legitimate packages, infrastructure-level persistence across CI/CD pipelines for long‑term access, and multi-stage payloads that deploy dormant sleeper dependencies to evade scanners.
A notable example is the Shai-Hulud incident involving the malicious package @bitwarden/cli@2026.4.0, attributed to TeamPCP, which impersonates the Bitwarden CLI and propagates by backdooring every npm package the victim can publish. The attackers also operated a GitHub dead drop and a C2 server at audit.checkmarx[.]cx:443, with a dead drop commit dated 21 April in the helloworm00/hello-world repository used to rotate instructions, illustrating the campaign’s resilience.
Palo Alto Networks customers are advised to apply mitigations and leverage protections across Advanced WildFire, Advanced URL Filtering, Advanced DNS Security and Cortex Cloud to detect and respond to these supply-chain threats.