On 15-16 September 2025 a novel self-replicating supply-chain worm, being tracked publicly as “Shai-Hulud” was discovered in routine npm packages (npm packages compromised by Shai hulud worm). The malware was first observed in compromised versions of @ctrl/tinycolor and quickly expanded to dozens, then hundreds, of packages by abusing maintainer workflows and registry APIs. The payload executes during npm install, harvests credentials from local environments and cloud secret stores, and attempts to propagate by force-publishing modified packages under the same maintainers.
Timeline and blast radius
- Initial public signals (Sept 14–15, 2025): researchers observed malicious updates to @ctrl/tinycolor and related packages.
- Rapid escalation (Sept 15–16): multiple vendor research teams reported the campaign expanding from ~40 packages to hundreds as the worm used maintainer credentials and republishing logic to infect additional packages.
- Blast radius: initial confirmed set: 40+ packages. Follow-on analysis showed the campaign affecting many more (reports vary from ~180 → ~500 packages depending on the time of snapshot). Expect the list to keep changing while incident responders clean repositories and maintainers rotate tokens.
Key practical takeaway: this is a fast-moving, worm-like supply-chain event. Any organization that installed or built code that resolved to the affected versions between Sept 14–16 should treat that build and any artifacts it produced as suspect.
How the payload runs (stage-by-stage)
The Shai-Hulud payload is modular (Webpack chunks) and runs as an asynchronous JavaScript bundle executed during package installation (likely via a hijacked postinstall script). High level stages:
- Delivery & execution
- The compromised package contains a large minified bundle.js (~3.6 MB in observed samples) that executes during npm install/postinstall. The bundle uses async execution semantics and spawns multiple modules.
- OS reconnaissance
- The payload builds a system profile (os.platform(), arch, environment dump) and records process.env to find transient tokens and environment variables.
- Local secret scanning
- It invokes legitimate secret-scanning tooling (observed: TruffleHog executed as trufflehog filesystem / –json) to search the filesystem for high-entropy strings and known key patterns (e.g., AKIA[0-9A-Z]{16}). Using a real tool helps the malware masquerade as a benign scan while actually harvesting secrets.
- Cloud secret harvesting
- AWS: uses @aws-sdk/client-secrets-manager to enumerate and fetch secrets (handles pagination, decodes binary secrets, and silently swallows errors such as DecryptionFailure).
- GCP: uses @google-cloud/secret-manager to list & access secrets (paginates via nextPageToken).
- Azure and other cloud metadata endpoints are also targeted where reachable.
- Self-propagation / NPM pivot
- The code queries the NPM registry API for maintainer packages (/v1/search?text=maintainer:<username>&size=20), downloads package tarballs, injects the malicious bundle.js, and re-publishes packages using the maintainer’s NPM_TOKEN (or .npmrc) – often using forced publish commands (observed npm version patch –force && npm publish –access public). This allows the malware to spread across the maintainer’s full package set.
- Persistence via GitHub Actions
- The malware writes a workflow file .github/workflows/shai-hulud-workflow.yml (via GitHub Contents API) which runs on push and exfiltrates ${{ toJSON(secrets) }} to an attacker endpoint. It may create a branch shai-hulud (/git/refs) to ensure the workflow is present and triggered. The workflow content observed posted secrets (base64-encoded) to webhook.site style endpoints in the wild.
- Exfiltration
- Harvested secrets + environment data are aggregated into JSON payloads and published to public resources (observed: attacker-created public repos named Shai-Hulud and webhook calls), making stolen secrets easily accessible to attackers.
What we observed across variants
- Identical core logic, different packaging: multiple packages contained near-identical Webpack chunks/modules (OS recon, TruffleHog spawn, cloud SDK usage), indicating a single malicious engine re-used across artifacts.
- Silent failure modes: error handling intentionally swallows exceptions (empty catch {}), reducing alerting noise and forensic signatures.
- Use of legitimate tools for stealth: executing TruffleHog (a legitimate open-source secret scanner) helps the payload appear normative while returning fresh secrets to attackers.
- Cross-maintainer contamination: early victims included packages spanning multiple maintainers and organizations. The worm’s registry queries and force-publish behavior created a cascading infection pattern.
Indicators of compromise (IoCs) you can act on today
High-priority IoCs (scan/alert immediately):
- SHA-256 of observed malicious bundle:
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09. - Exfiltration endpoints (observed): https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7.
- Presence of workflow file: .github/workflows/shai-hulud-workflow.yml.
- Commands/processes: trufflehog filesystem / –json, npm publish –force, curl calls to webhook.site domains.
File & repo signatures to search for (examples):
- Any repo containing shai-hulud in branch names or file paths.
- New public repos named Shai-Hulud (created suddenly by affected accounts).
- Recent packages publish timestamps from maintainers that match the incident window (Sept 14–16, 2025) or immediate follow-on dates.
Are you affected?
You should assume possible exposure if any of these apply:
- You installed, built, or deployed code that resolved (directly or via transitive deps) to @ctrl/tinycolor or any packages flagged by CloudDefense.AI between Sept 14–16, 2025 (or later, as the campaign evolved).
- Your CI artifacts were produced on runners that executed a build with a suspicious package installed during that window.
- You used automation tokens, NPM tokens, or GitHub PATs that may have been available to the build environment or stored in repo/CI secrets.
If you meet any of the above, treat builds as compromised artifacts and follow Immediate Remediation below.
Detection and forensics (step-by-step, with commands)
Below are practical commands and playbooks for detection and initial triage. Run these from an incident-response environment and pipeline the results to your SIEM.
1) Find malicious bundle files in your repo or build artifacts
# from project root: compute SHA256 for all .js files and look for the known hash
find . -type f -name "*.js" -exec sha256sum {} \; | grep "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09" || true
2) Search for the injected workflow or suspicious files
# local repo
git ls-files | grep -i ".github/workflows/shai-hulud-workflow.yml" || true
# check remote branches
git ls-remote --heads origin | grep shai-hulud || true
# find workflow files across many repos (GitHub CLI)
gh repo list ORG --limit 1000 --json nameWithOwner --jq '.[].nameWithOwner' \
| while read repo; do
gh api "repos/$repo/contents/.github/workflows/shai-hulud-workflow.yml" \
--silent -H "Accept: application/vnd.github.v3+json" \
| jq -r '.name, .message' 2>/dev/null && echo "Found in $repo"
done
3) Detect recent forced publishes by maintainers
# detect npm publish events (if you log them centrally) or search for sudden version bumps
# Example (if you have an internal registry/event stream): filter for "npm publish" events with --force flag
# In absence of centralized logs, review publish timestamps via registry queries or rely on your artifact monitor.
4) Cloud artifact & secrets audit
AWS CloudTrail: search for suspicious Secret Manager access
# look for secret access events in CloudTrail
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ListSecrets
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=BatchGetSecretValue
GCP Logging: look for Secret Manager and service account key activity
gcloud logging read "resource.type=secretmanager.googleapis.com" --limit=200 --format=json
gcloud logging read "protoPayload.methodName=google.iam.admin.v1.CreateServiceAccountKey" --limit=200 --format=json
5) Look for TruffleHog runs or similar filesystem scans on build hosts
- Inspect process execution logs, runner audit trails, or EDR telemetry for processes that executed trufflehog or spawned child_process.exec with filesystem scanning.
6) Collect artifacts
- Pull the malicious bundle.js sample (if found), workflow YAMLs, shell commands that created branches, and network egress logs. Hash everything and ingest into your malware repository.
If you want, CloudDefense.AI can produce these detection queries as ready-to-run playbooks for your Splunk/Datadog/Elastic stack.
Immediate remediation
If you have confirmed or even suspected exposure, follow this prioritized playbook.
1. Contain
- Stop builds that used suspect dependency versions. Quarantine CI runners and images that executed compromised installs.
- Block outbound connections to known exfil endpoints (e.g., the webhook.site URL family observed).
2. Eradicate malicious artifacts
- Remove the malicious workflow file from repos and delete shai-hulud branches:
# local
rm -f .github/workflows/shai-hulud-workflow.yml
git add .github/workflows/shai-hulud-workflow.yml && git commit -m "Remove malicious workflow" || true
git push origin --delete shai-hulud || true
Replace any build artifacts produced during the incident window with artifacts rebuilt from trusted sources after remediation.
3. Rotate credentials (do NOT skip)
Rotate in this order where possible and restrict scopes on newly issued tokens:
- GitHub: rotate PATs, revoke OAuth apps, remove deploy keys, rotate Actions secrets and organization automation tokens.
- NPM: revoke and reissue automation/publish tokens, remove any leaked tokens from registries.
- Cloud: rotate AWS IAM keys (revoke compromised keys), Google service account keys, Azure app credentials.
- Other: DB creds, API keys, 3rd party tokens.
Notify downstream teams to rotate any cached credentials.
4. Audit & investigate
- Review CloudTrail / GCP logs for suspicious GetSecretValue / CreateServiceAccountKey events.
- Check GitHub audit logs for suspicious repo contents writes, branch creation, or token usage.
- Identify lateral movement (e.g., compromised CI tokens used to access internal artifacts) and investigate affected resources.
5. Rebuild & harden
- Rebuild images and artifacts from clean sources and redeploy to production only after validation.
- Implement package cooldown, review automation that auto-updates dependencies, enable stricter branch protection, and set alerts for npm publish –force.
If you’d like, CloudDefense.AI will prepare an incident playbook tailored to your org (credential lists, rotation steps, scripts to detect/remove shai-hulud artifacts).
Why this campaign is different
- Wormable self-propagation through maintainers: previous npm incidents typically depended on single package compromise or hijacked accounts publishing malicious versions. Shai-Hulud actively enumerates a maintainer’s packages and attempts to force-publish malicious patches, creating a cascading, worm-like infection.
- Multi-cloud credential harvesting combined with persistence: unlike simple coin-miners or ad-injection trojans, this payload targeted cloud secrets (AWS/GCP/Azure) and used GitHub Actions backdoors to maintain long-term access and mass exfiltration.
- Use of legitimate tooling for camouflage: invoking TruffleHog makes the activity look like a benign security scan while still returning secrets to attackers. This complicates detection based on simple “tool usage” heuristics.
- Rapid and noisy public discovery: widespread media and vendor coverage accelerated community awareness, but also means attackers can pivot quickly defenders must act fast.
Appendix: affected packages and staying current
The affected package list was evolving fast. Initial public lists started at ~40 packages and broadened to hundreds as researchers and registries analyzed the campaign details. Do not rely on any single static list – treat the registry and your own dependency graph as the authority and run immediate scans across your org.
Confirmed affected packages (excerpt as of Sept 16, 2025)
| Row | Package Name | Version(s) |
| 1 | @ahmedhfarag/ngx-perfect-scrollbar | 20.0.20 |
| 2 | @ahmedhfarag/ngx-virtual-scroller | 4.0.4 |
| 3 | @art-ws/common | 2.0.22, 2.0.28 |
| 4 | @art-ws/config-eslint | 2.0.4, 2.0.5 |
| 5 | @art-ws/config-ts | 2.0.7, 2.0.8 |
| 6 | @art-ws/db-context | 2.0.24 |
| 7 | @art-ws/di | 2.0.28, 2.0.32 |
| 8 | @art-ws/di-node | 2.0.13 |
| 9 | @art-ws/eslint | 1.0.5, 1.0.6 |
| 10 | @art-ws/fastify-http-server | 2.0.24, 2.0.27 |
| 11 | @art-ws/http-server | 2.0.21, 2.0.25 |
| 12 | @art-ws/openapi | 0.1.9, 0.1.12 |
| 13 | @art-ws/package-base | 1.0.5, 1.0.6 |
| 14 | @art-ws/prettier | 1.0.5, 1.0.6 |
| 15 | @art-ws/slf | 2.0.15, 2.0.22 |
| 16 | @art-ws/ssl-info | 1.0.9, 1.0.10 |
| 17 | @art-ws/web-app | 1.0.3, 1.0.4 |
| 18 | @crowdstrike/commitlint | 8.1.1, 8.1.2 |
| 19 | @crowdstrike/falcon-shoelace | 0.4.1, 0.4.2 |
| 20 | @crowdstrike/foundry-js | 0.19.1, 0.19.2 |
| 21 | @crowdstrike/glide-core | 0.34.2, 0.34.3 |
| 22 | @crowdstrike/logscale-dashboard | 1.205.1, 1.205.2 |
| 23 | @crowdstrike/logscale-file-editor | 1.205.1, 1.205.2 |
| 24 | @crowdstrike/logscale-parser-edit | 1.205.1, 1.205.2 |
| 25 | @crowdstrike/logscale-search | 1.205.1, 1.205.2 |
| 26 | @crowdstrike/tailwind-toucan-base | 5.0.1, 5.0.2 |
| 27 | @ctrl/deluge | 7.2.1, 7.2.2 |
| 28 | @ctrl/golang-template | 1.4.2, 1.4.3 |
| 29 | @ctrl/magnet-link | 4.0.3, 4.0.4 |
| 30 | @ctrl/ngx-codemirror | 7.0.1, 7.0.2 |
| 31 | @ctrl/ngx-csv | 6.0.1, 6.0.2 |
| 32 | @ctrl/ngx-emoji-mart | 9.2.1, 9.2.2 |
| 33 | @ctrl/ngx-rightclick | 4.0.1, 4.0.2 |
| 34 | @ctrl/qbittorrent | 9.7.1, 9.7.2 |
| 35 | @ctrl/react-adsense | 2.0.1, 2.0.2 |
| 36 | @ctrl/shared-torrent | 6.3.1, 6.3.2 |
| 37 | @ctrl/tinycolor | 4.1.1, 4.1.2 |
| 38 | @ctrl/torrent-file | 4.1.1, 4.1.2 |
| 39 | @ctrl/transmission | 7.3.1 |
| 40 | @ctrl/ts-base32 | 4.0.1, 4.0.2 |
| 41 | @hestjs/core | 0.2.1 |
| 42 | @hestjs/cqrs | 0.1.6 |
| 43 | @hestjs/demo | 0.1.2 |
| 44 | @hestjs/eslint-config | 0.1.2 |
| 45 | @hestjs/logger | 0.1.6 |
| 46 | @hestjs/scalar | 0.1.7 |
| 47 | @hestjs/validation | 0.1.6 |
| 48 | @nativescript-community/arraybuffers | 1.1.6, 1.1.7, 1.1.8 |
| 49 | @nativescript-community/gesturehandler | 2.0.35 |
| 50 | @nativescript-community/perms | 3.0.5, 3.0.6, 3.0.7, 3.0.8 |
| 51 | @nativescript-community/sentry | 4.6.43 |
| 52 | @nativescript-community/sqlite | 3.5.2, 3.5.3, 3.5.4, 3.5.5 |
| 53 | @nativescript-community/text | 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13 |
| 54 | @nativescript-community/typeorm | 0.2.30, 0.2.31, 0.2.32, 0.2.33 |
| 55 | @nativescript-community/ui-collectionview | 6.0.6 |
| 56 | @nativescript-community/ui-document-picker | 1.1.27, 1.1.28 |
| 57 | @nativescript-community/ui-drawer | 0.1.30 |
| 58 | @nativescript-community/ui-image | 4.5.6 |
| 59 | @nativescript-community/ui-label | 1.3.35, 1.3.36, 1.3.37 |
| 60 | @nativescript-community/ui-material-bottom-navigation | 7.2.72, 7.2.73, 7.2.74, 7.2.75 |
| 61 | @nativescript-community/ui-material-bottomsheet | 7.2.72 |
| 62 | @nativescript-community/ui-material-core | 7.2.72, 7.2.73, 7.2.74, 7.2.75, 7.2.76 |
| 63 | @nativescript-community/ui-material-core-tabs | 7.2.72, 7.2.73, 7.2.74, 7.2.75, 7.2.76 |
| 64 | @nativescript-community/ui-material-ripple | 7.2.72, 7.2.73, 7.2.74, 7.2.75 |
| 65 | @nativescript-community/ui-material-tabs | 7.2.72, 7.2.73, 7.2.74, 7.2.75 |
| 66 | @nativescript-community/ui-pager | 14.1.36, 14.1.37, 14.1.38 |
| 67 | @nativescript-community/ui-pulltorefresh | 2.5.4, 2.5.5, 2.5.6, 2.5.7 |
| 68 | @nexe/config-manager | 0.1.1 |
| 69 | @nexe/eslint-config | 0.1.1 |
| 70 | @nexe/logger | 0.1.3 |
| 71 | @nstudio/angular | 20.0.4, 20.0.5, 20.0.6 |
| 72 | @nstudio/focus | 20.0.4, 20.0.5, 20.0.6 |
| 73 | @nstudio/nativescript-checkbox | 2.0.6, 2.0.7, 2.0.8, 2.0.9 |
| 74 | @nstudio/nativescript-loading-indicator | 5.0.1, 5.0.2, 5.0.3, 5.0.4 |
| 75 | @nstudio/ui-collectionview | 5.1.11, 5.1.12, 5.1.13, 5.1.14 |
| 76 | @nstudio/web | 20.0.4 |
| 77 | @nstudio/web-angular | 20.0.4 |
| 78 | @nstudio/xplat | 20.0.5, 20.0.6, 20.0.7 |
| 79 | @nstudio/xplat-utils | 20.0.5, 20.0.6, 20.0.7 |
| 80 | @operato/board | 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50, 9.0.51 |
| 81 | @operato/data-grist | 9.0.29, 9.0.35, 9.0.36, 9.0.37 |
| 82 | @operato/graphql | 9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46 |
| 83 | @operato/headroom | 9.0.2, 9.0.35, 9.0.36, 9.0.37 |
| 84 | @operato/help | 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46 |
| 85 | @operato/i18n | 9.0.35, 9.0.36, 9.0.37 |
| 86 | @operato/input | 9.0.27, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48 |
| 87 | @operato/layout | 9.0.35, 9.0.36, 9.0.37 |
| 88 | @operato/popup | 9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.49 |
| 89 | @operato/pull-to-refresh | 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42 |
| 90 | @operato/shell | 9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39 |
| 91 | @operato/styles | 9.0.2, 9.0.35, 9.0.36, 9.0.37 |
| 92 | @operato/utils | 9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.49 |
| 93 | @teselagen/bio-parsers | 0.4.30 |
| 94 | @teselagen/bounce-loader | 0.3.16, 0.3.17 |
| 95 | @teselagen/file-utils | 0.3.22 |
| 96 | @teselagen/liquibase-tools | 0.4.1 |
| 97 | @teselagen/ove | 0.7.40 |
| 98 | @teselagen/range-utils | 0.3.14, 0.3.15 |
| 99 | @teselagen/react-list | 0.8.19, 0.8.20 |
| 100 | @teselagen/react-table | 6.10.19, 6.10.20, 6.10.22 |
| 101 | @teselagen/sequence-utils | 0.3.34 |
| 102 | @teselagen/ui | 0.9.10 |
| 103 | @thangved/callback-window | 1.1.4 |
| 104 | @things-factory/attachment-base | 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50 |
| 105 | @things-factory/auth-base | 9.0.43, 9.0.44, 9.0.45 |
| 106 | @things-factory/email-base | 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50, 9.0.51, 9.0.52, 9.0.53, 9.0.54 |
| 107 | @things-factory/env | 9.0.42, 9.0.43, 9.0.44, 9.0.45 |
| 108 | @things-factory/integration-base | 9.0.43, 9.0.44, 9.0.45 |
| 109 | @things-factory/integration-marketplace | 9.0.43, 9.0.44, 9.0.45 |
| 110 | @things-factory/shell | 9.0.43, 9.0.44, 9.0.45 |
| 111 | @tnf-dev/api | 1.0.8 |
| 112 | @tnf-dev/core | 1.0.8 |
| 113 | @tnf-dev/js | 1.0.8 |
| 114 | @tnf-dev/mui | 1.0.8 |
| 115 | @tnf-dev/react | 1.0.8 |
| 116 | @ui-ux-gang/devextreme-angular-rpk | 24.1.7 |
| 117 | @yoobic/design-system | 6.5.17 |
| 118 | @yoobic/jpeg-camera-es6 | 1.0.13 |
| 119 | @yoobic/yobi | 8.7.53 |
| 120 | airchief | 0.3.1 |
| 121 | airpilot | 0.8.8 |
| 122 | angulartics2 | 14.1.1, 14.1.2 |
| 123 | browser-webdriver-downloader | 3.0.8 |
| 124 | capacitor-notificationhandler | 0.0.2, 0.0.3 |
| 125 | capacitor-plugin-healthapp | 0.0.2, 0.0.3 |
| 126 | capacitor-plugin-ihealth | 1.1.8, 1.1.9 |
| 127 | capacitor-plugin-vonage | 1.0.2, 1.0.3 |
| 128 | capacitorandroidpermissions | 0.0.4, 0.0.5 |
| 129 | config-cordova | 0.8.5 |
| 130 | cordova-plugin-voxeet2 | 1.0.24 |
| 131 | cordova-voxeet | 1.0.32 |
| 132 | create-hest-app | 0.1.9 |
| 133 | db-evo | 1.1.4, 1.1.5 |
| 134 | devextreme-angular-rpk | 21.2.8 |
| 135 | ember-browser-services | 5.0.2, 5.0.3 |
| 136 | ember-headless-form | 1.1.2, 1.1.3 |
| 137 | ember-headless-form-yup | 1.0.1 |
| 138 | ember-headless-table | 2.1.5, 2.1.6 |
| 139 | ember-url-hash-polyfill | 1.0.12, 1.0.13 |
| 140 | ember-velcro | 2.2.1, 2.2.2 |
| 141 | encounter-playground | 0.0.2, 0.0.3, 0.0.4, 0.0.5 |
| 142 | eslint-config-crowdstrike | 11.0.2, 11.0.3 |
| 143 | eslint-config-crowdstrike-node | 4.0.3, 4.0.4 |
| 144 | eslint-config-teselagen | 6.1.7, 6.1.8 |
| 145 | globalize-rpk | 1.7.4 |
| 146 | graphql-sequelize-teselagen | 5.3.8, 5.3.9 |
| 147 | html-to-base64-image | 1.0.2 |
| 148 | json-rules-engine-simplified | 0.2.1, 0.2.4 |
| 149 | jumpgate | 0.0.2 |
| 150 | koa2-swagger-ui | 5.11.1, 5.11.2 |
| 151 | mcfly-semantic-release | 1.3.1 |
| 152 | mcp-knowledge-base | 0.0.2 |
| 153 | mcp-knowledge-graph | 1.2.1 |
| 154 | mobioffice-cli | 1.0.3 |
| 155 | monorepo-next | 13.0.1, 13.0.2 |
| 156 | mstate-angular | 0.4.4 |
| 157 | mstate-cli | 0.4.7 |
| 158 | mstate-dev-react | 1.1.1 |
| 159 | mstate-react | 1.6.5 |
| 160 | ng2-file-upload | 7.0.2, 7.0.3, 8.0.1, 8.0.2, 8.0.3, 9.0.1 |
| 161 | ngx-bootstrap | 18.1.4, 19.0.3, 19.0.4, 20.0.3, 20.0.4, 20.0.5 |
| 162 | ngx-color | 10.0.1, 10.0.2 |
| 163 | ngx-toastr | 19.0.1, 19.0.2 |
| 164 | ngx-trend | 8.0.1 |
| 165 | ngx-ws | 1.1.5, 1.1.6 |
| 166 | oradm-to-gql | 35.0.14, 35.0.15 |
| 167 | oradm-to-sqlz | 1.1.2, 1.1.5 |
| 168 | ove-auto-annotate | 0.0.9, 0.0.10 |
| 169 | pm2-gelf-json | 1.0.4, 1.0.5 |
| 170 | printjs-rpk | 1.6.1 |
| 171 | react-complaint-image | 0.0.32, 0.0.35 |
| 172 | react-jsonschema-form-conditionals | 0.3.18, 0.3.21 |
| 173 | react-jsonschema-form-extras | 1.0.4 |
| 174 | react-jsonschema-rxnt-extras | 0.4.9 |
| 175 | remark-preset-lint-crowdstrike | 4.0.1, 4.0.2 |
| 176 | rxnt-authentication | 0.0.3, 0.0.4, 0.0.5, 0.0.6 |
| 177 | rxnt-healthchecks-nestjs | 1.0.2, 1.0.3, 1.0.4, 1.0.5 |
| 178 | rxnt-kue | 1.0.4, 1.0.5, 1.0.6, 1.0.7 |
| 179 | swc-plugin-component-annotate | 1.9.1, 1.9.2 |
| 180 | tbssnch | 1.0.2 |
| 181 | teselagen-interval-tree | 1.1.2 |
| 182 | tg-client-query-builder | 2.14.4, 2.14.5 |
| 183 | tg-redbird | 1.3.1, 1.3.2 |
| 184 | tg-seq-gen | 1.0.9, 1.0.10 |
| 185 | thangved-react-grid | 1.0.3 |
| 186 | ts-gaussian | 3.0.5, 3.0.6 |
| 187 | ts-imports | 1.0.1, 1.0.2 |
| 188 | tvi-cli | 0.1.5 |
| 189 | ve-bamreader | 0.2.6, 0.2.7 |
| 190 | ve-editor | 1.0.1, 1.0.2 |
| 191 | verror-extra | 6.0.1 |
| 192 | voip-callkit | 1.0.2, 1.0.3 |
| 193 | wdio-web-reporter | 0.1.3 |
| 194 | yargs-help-output | 5.0.3 |
| 195 | yoo-styles | 6.0.326 |
How CloudDefense.AI can reduce impact
CloudDefense.AI unifies SCA with SBOM enforcement, CI/CD runtime visibility, and secrets & token posture:
- Block compromised versions at the gate. Our SCA + SBOM policies can fail the build when a dependency matches a known-bad version or reputation signal.
- Observe and alert during builds. Network/process-level telemetry during CI highlights unexpected calls (e.g., api.github.com during npm install) and suspicious child processes.
- Map & protect secrets. We discover where tokens live in code and pipelines, check scopes/rotations, and tie findings to reachable assets – so rotation after an incident is complete and prioritized.
- Correlate cloud access. We ingest CloudTrail/GCP/Azure audit logs and match abnormal secret access with build events for high-fidelity investigations.
