Node.js Supply Chain Attack

This article analyzes all 5 major incidents in detail, explaining why organizations using Java + PostgreSQL technology like Saeree ERP were completely unaffected.

Timeline of Events

Date	Event	Impact
8 Sep 2025	chalk/debug 18 packages hijacked	2.6 billion downloads/week
14-15 Sep 2025	Shai-Hulud Worm 1.0	Self-propagating worm
23 Sep 2025	CISA issues advisory	Critical level
21-24 Nov 2025	Shai-Hulud Worm 2.0	796 packages, 132 million downloads/month
3 Dec 2025	React2Shell (CVE-2025-55182)	CVSS 10.0 — Critical RCE
13 Jan 2026	Node.js Security Release	Patched 8 CVEs across all Release Lines
Jan 2026	PackageGate Zero-Days	6 vulnerabilities in npm/pnpm/vlt/Bun

Event 1: chalk/debug Package Hijack — 18 Packages, 2.6 Billion Downloads

Date: 8 September 2025 at 13:15 UTC

Attack Method

The attackers used a Phishing Attack, sending a fake email from the domain npmjs.help (registered on September 5, just 3 days before the attack) to deceive maintainer "Qix-" (Josh Junon), who managed chalk, debug, and several other packages. The email claimed npm would lock the account if identity wasn't verified within 48 hours. When the maintainer clicked the fake link, the attackers captured the username, password, and TOTP (2FA) code in real-time.

Compromised Packages (18 packages)

Package	Malware-infected Version	Downloads/Week
chalk	5.6.1	299 million
debug	4.4.2	47 million
strip-ansi	7.1.1	Total ~2.6 billion
ansi-regex, color-convert, wrap-ansi, ansi-styles, color-name, supports-color, slice-ansi, color, color-string, is-arrayish, simple-swizzle, supports-hyperlinks, has-ansi, chalk-template, backslash	Various versions

Additionally, a second wave occurred the next day (September 9) when duckdb was also attacked — package duckdb@1.3.3 contained malware for 7-9 hours before being removed.

What Did the Malware Do?

The embedded code was a Cryptostealer — intercepting window.ethereum to steal MetaMask and other crypto wallets by redirecting transactions to the attacker's wallet. Cleverly, the attackers used wallet addresses similar to the victim's original address to reduce detection chances.

Detection and Resolution

A user named "informatic" noticed that the npm version didn't match the source code on GitHub — alerting the community, and most packages were removed within ~1 hour.

Event 2: Shai-Hulud Worm — Self-Propagating Worm via npm

First Wave (September 2025)

The same week as the chalk/debug incident — ReversingLabs discovered a computer worm called "Shai-Hulud" (named after the sandworms from the novel Dune) that self-propagated through npm automatically. Patient Zero was the package rxnt-authentication version 0.0.3 (published September 14) — removed within ~2.5 hours.

Second Wave — Shai-Hulud 2.0 (November 2025)

Far more devastating — began November 21-23, detected by the community on November 24, taking ~12 hours to contain.

How Shai-Hulud Works (Technical)

Shai-Hulud is a worm that self-propagates automatically — requiring no human control, operating through 5 steps:

1. Exploits the preinstall lifecycle script — code runs before installation completes, even if the install fails.
2. Disguises itself as a Bun installer — creates files setup_bun.js and bun_environment.js
3. Steals credentials — extracts npm tokens from .npmrc, GitHub tokens, AWS/Azure/GCP credentials, and cloud metadata service tokens
4. Propagates — uses stolen npm tokens to log in as the victim → finds packages maintained by the victim (up to 100 packages) → bumps version → injects malware → publishes automatically
5. Exfiltrates data — creates a GitHub repository named "Shai-Hulud" under the victim's account and commits all stolen secrets into it

Event 3: React2Shell (CVE-2025-55182) — Maximum CVSS 10.0

Date: 29 November 2025 (reported) → 3 December (disclosed) → 5 December (actively exploited)

CVSS Score: 10.0 / 10.0

What Is the Vulnerability?

The vulnerability lies in React Server Components (RSC) — a new system Meta built for server-side React. The problem is in the "Flight" protocol used for client-server data exchange, which has an Insecure Deserialization flaw — an attacker can send a single HTTP POST request to execute arbitrary code on the server (Remote Code Execution) with nearly 100% success rate.

Affected Versions

Framework	Vulnerable Versions	Fixed Versions
React (RSC)	19.0, 19.1.0, 19.1.1, 19.2.0	19.0.1, 19.1.2, 19.2.1+
Next.js (App Router)	14.3.0-canary+, 15.x, 16.x	15.0.5, 15.1.9, 15.2.6, 15.5.7, 16.0.7
React Router, Waku, Parcel, Vite, RedwoodSDK	Versions using React 19 RSC	Update per React releases

Scale of Impact

• 39% of cloud environments have vulnerable instances (data from Wiz)
• 61% of cloud environments have internet-facing Next.js applications
• Within 24 hours of disclosure, multiple attack campaigns emerged
• CISA added it to Known Exploited Vulnerabilities (KEV) within 2 days

Threat Actors

AWS Threat Intelligence and Google Cloud confirmed that China-nexus threat groups rapidly exploited this vulnerability, deploying multiple backdoors:

• MINOCAT — tunneler for lateral movement within internal networks
• SNOWLIGHT — downloader for fetching additional malware
• HISONIC / COMPOOD — backdoors for remote server control
• XMRIG — cryptocurrency mining on victim servers
• Sliver Framework — stealing cloud credentials

Event 4: Node.js Security Release — 8 Vulnerability Patches Across All Release Lines

Date: 13 January 2026

Node.js issued emergency security patches for all release lines (20, 22, 24, 25) fixing 8 CVEs, 3 of which were rated HIGH severity.

CVE	Severity	Type	Details
CVE-2025-55131	HIGH	Buffer Memory Leak	Buffer.alloc() may leak stale data such as tokens or passwords previously stored in memory
CVE-2025-55130	HIGH	FS Permission Bypass	Uses symlinks to bypass --allow-fs-read/write and access files outside the permitted scope
CVE-2025-59465	HIGH	HTTP/2 DoS	Sends malformed HEADERS frames causing remote Node.js process crashes
CVE-2025-59466	MEDIUM	async_hooks Crash	Uncatchable stack overflow error
CVE-2025-59464	MEDIUM	TLS Memory Leak	Memory leak from TLS certificate handling (Node 24)
CVE-2026-21636	MEDIUM	Unix Socket Bypass	Permission bypass via Unix Domain Socket
CVE-2026-21637	MEDIUM	TLS PSK/ALPN DoS	DoS + File Descriptor leak from TLS callback
CVE-2025-55132	LOW	fs.futimes Bypass	Can bypass read-only permissions

Event 5: PackageGate — 6 Zero-Days in npm, pnpm, vlt and Bun

Date: January 2026

Security firm Koi disclosed 6 zero-day vulnerabilities in all major JavaScript package managers — worse yet, these vulnerabilities undermined the very defenses recommended after the Shai-Hulud incident.

Package Manager	Vulnerability	Impact
npm	Git dependency + fake .npmrc	RCE even with scripts disabled
pnpm	Script-disable only works during build phase	Silent RCE during install
vlt	Path traversal in tarball	Can write files anywhere
Bun	Allow-list checks name only, not origin	Can spoof packages
pnpm + vlt	Stores URL only, no integrity hash	Tarball can be modified on reinstall

Interestingly, npm denied these were vulnerabilities — calling them "expected behavior," while pnpm, vlt, and Bun have already released patches.

Why Is Saeree ERP Unaffected?

All 5 incidents above share one thing in common — they all occurred within the JavaScript/Node.js/npm ecosystem, which Saeree ERP does not use at all.

Aspect	Attacked Systems	Saeree ERP
Programming Language	JavaScript / TypeScript	Java (industry standard for over 29 years)
Runtime	Node.js	Web Application Server (JBoss)
Package Manager	npm / pnpm / Bun	Maven Central (with rigorous verification processes)
Database	Not applicable	PostgreSQL (the most stable open source database)
Framework	React, Next.js	Angular + Jersey JAX-RS
Total Dependencies	npm: 500+ dependencies per project	Maven: strictly controlled, far fewer dependencies

Why Is Java + Maven Safer?

1. Maven Central has a rigorous verification process — Group IDs (e.g., com.grandlinux) must be verified through domain ownership proof, making it impossible to easily publish packages with names similar to existing ones.
2. No lifecycle scripts — Maven lacks the preinstall/postinstall system that npm has, making Shai-Hulud-style attacks impossible.
3. Shallower dependency tree — Node.js projects typically have 500-1,000+ dependencies (including transitive), while Java projects have far fewer, resulting in a much smaller attack surface.
4. Compile-time type safety — Java verifies types at compile time, making vulnerabilities like Insecure Deserialization (as in React2Shell) easier to detect.
5. WAF (Web Application Firewall) — Saeree ERP has a WAF system that blocks attacks such as XSS and Prototype Pollution with 100% effectiveness, as verified in real-world incidents.

Choosing a technology stack is not just about performance or features — it's about long-term security that affects the entire organization's risk profile.

— Saeree ERP Team

Lessons for Organizations — How to Choose Technology Safely

From these incidents, here is what IT executives and CTOs should consider:

1. Don't Choose Technology Based on Trends

Node.js and npm are popular because they're easy to adopt and develop with fast. But popularity does not equal security — the larger the ecosystem, the broader the attack surface.

2. Assess Supply Chain Risk of Your Technology

Ask:

• How does the Package Manager verify packages?
• Are there lifecycle scripts that run automatically?
• How many dependencies does the project rely on?
• If one dependency is compromised, what is the blast radius?

3. For ERP/Mission-Critical Systems — Choose "Boring" but Stable Technology

Java may not be as "cool" as Node.js, but for systems that must run 24/7, handle financial data, and serve hundreds of concurrent users, stability, security, and an auditable ecosystem matter far more than "speed of development."

4. Verify Vendor Security Standards

When choosing an ERP or mission-critical software, ask:

• What technology is used? What is the supply chain risk?
• Has it been tested against OWASP Top 10?
• What measures protect against SQL Injection and XSS?
• Is there a Disaster Recovery plan?
• What security standards are followed?

Conclusion

The past 5 months (September 2025 — January 2026) have proven that choosing the right technology from the start is one of the most critical decisions in maintaining organizational security.

Organizations running systems on Node.js/npm had to face:

• Auditing hundreds of dependencies
• Multiple rounds of emergency patching
• Risk from unpatched zero-days
• Incident response costs

Meanwhile, Saeree ERP, built with Java + PostgreSQL, was unaffected by any of these incidents — because it uses technology proven for over 29 years, with a rigorously audited ecosystem suited for mission-critical enterprise systems.

If you'd like to consult on ERP system security or learn how Saeree ERP maintains its security posture, you can contact our advisory team anytime.

References

• Semgrep — chalk, debug, and color on npm compromised
• Wiz — npm Supply Chain Attack: chalk/debug Impact
• Palo Alto Unit 42 — npm Supply Chain Attack
• Datadog Security Labs — Shai-Hulud 2.0
• Check Point — Shai-Hulud 2.0: Inside the Second Coming
• React Official Blog — Critical Security Vulnerability in RSC
• Rapid7 — React2Shell CVE-2025-55182
• Google Cloud Threat Intelligence — React2Shell Exploitation
• Node.js Official — Security Release January 2026
• Koi — PackageGate: 6 Zero-Days in JavaScript Package Managers
• CISA — Supply Chain Compromise Impacting npm Ecosystem
• AWS Security — China-nexus Exploit React2Shell