- 1
- March
From late 2025 to early 2026, the Node.js and npm ecosystem experienced its darkest period — a series of massive supply chain attacks compromised packages with a combined 2.6 billion weekly downloads, forcing CISA (Cybersecurity and Infrastructure Security Agency) to issue multiple emergency advisories.
This article provides an in-depth analysis of all five major incidents, and explains why organizations that chose Java + PostgreSQL technology — like Saeree ERP — were completely unaffected.
Impact Summary (September 2025 — January 2026)
- npm packages compromised: 800+ packages
- Combined weekly downloads of affected packages: 2.6 billion
- GitHub repositories breached: 25,000+
- Highest CVSS score: 10.0 (React2Shell)
- CISA advisories issued: 3
Timeline of Events
| Date | Incident | Impact |
|---|---|---|
| Sep 8, 2025 | chalk/debug — 18 packages hijacked | 2.6 billion downloads/week |
| Sep 14-15, 2025 | Shai-Hulud Worm 1.0 | Self-propagating worm |
| Sep 23, 2025 | CISA advisory issued | Critical level |
| Nov 21-24, 2025 | Shai-Hulud Worm 2.0 | 796 packages, 132M monthly downloads |
| Dec 3, 2025 | React2Shell (CVE-2025-55182) | CVSS 10.0 — Critical RCE |
| Jan 13, 2026 | Node.js Security Release | 8 CVEs patched across all release lines |
| Jan 2026 | PackageGate Zero-Days | 6 zero-days in npm/pnpm/vlt/Bun |
Incident 1: chalk/debug Package Hijack — 18 Packages, 2.6 Billion Downloads
Date: September 8, 2025, 13:15 UTC
Attack Vector
The attacker used a phishing attack, sending a fake email from the domain npmjs.help (registered September 5, three days before the attack) to the maintainer known as "Qix-" (Josh Junon), who managed chalk, debug, and several other packages. The email claimed npm would lock his account within 48 hours. When the maintainer clicked the fake link, the attacker captured his username, password, and a live TOTP (2FA) code in real-time.
Compromised Packages (18 packages)
| Package | Malicious Version | Weekly Downloads |
|---|---|---|
| chalk | 5.6.1 | 299 million |
| debug | 4.4.2 | 47 million |
| strip-ansi, ansi-regex, color-convert, wrap-ansi, ansi-styles, color-name, supports-color, slice-ansi, color, color-string, is-arrayish, simple-swizzle, supports-hyperlinks, has-ansi, chalk-template, backslash | Various versions | Combined ~2.6 billion |
What Did the Malware Do?
The injected code was an obfuscated cryptostealer that hooked into window.ethereum to intercept MetaMask and other crypto wallet interactions, silently redirecting transactions to attacker-controlled addresses. The attacker used wallet addresses visually similar to the victim's to avoid detection.
Detection and Response
A user named "informatic" noticed that a version published to npm did not match the source code on GitHub. Community notification followed rapidly, and most malicious packages were removed within ~1 hour.
Key Lesson: Even with 2FA enabled, TOTP-based codes can be captured through real-time phishing. Only hardware keys (FIDO2/WebAuthn) provide true phishing resistance.
Incident 2: Shai-Hulud Worm — Self-Propagating Malware Through npm
First Wave (September 2025)
The same week as the chalk/debug incident, ReversingLabs detected a self-propagating computer worm dubbed "Shai-Hulud" (named after the sandworms from the novel Dune). Patient zero was the rxnt-authentication package version 0.0.3, published September 14 — removed within ~2.5 hours.
Second Wave — Shai-Hulud 2.0 (November 2025)
Far more devastating — launched November 21-23, discovered November 24, and took ~12 hours to contain.
Shai-Hulud 2.0 Damage Scale:
| Packages compromised | 796 packages (1,092 versions) |
| Total downloads | 132 million/month |
| GitHub repos breached | 25,000+ (from ~500 users) |
| Organizations affected | PostHog, Zapier, Postman, ENS Domains, AsyncAPI |
How Shai-Hulud Worked (Technical Details)
Shai-Hulud was a fully autonomous self-propagating worm that operated in 5 stages:
- Exploited npm preinstall lifecycle script — code executes before installation completes, even if the install fails
- Disguised as Bun installer — created files named
setup_bun.jsandbun_environment.js - Credential harvesting — stole npm tokens from
.npmrc, GitHub tokens, AWS/Azure/GCP credentials, cloud metadata service tokens - Self-propagation — used stolen npm tokens to authenticate as the victim, identified up to 100 packages maintained by the victim, bumped versions, injected malicious code, and auto-published
- Exfiltration — created a public GitHub repository named "Shai-Hulud" under the victim's account and committed all stolen secrets
Most Terrifying Feature: If the worm could not steal credentials or exfiltrate data, it would destroy the victim's entire home directory by securely overwriting and deleting every writable file — preventing any recovery.
Incident 3: React2Shell (CVE-2025-55182) — CVSS 10.0, Maximum Severity
Date: November 29, 2025 (reported) → December 3 (disclosed) → December 5 (exploited in the wild)
CVSS Score: 10.0 / 10.0
What Was the Vulnerability?
The vulnerability existed in React Server Components (RSC) — Meta's new system for running React on the server. The "Flight" protocol used for client-server communication had an insecure deserialization flaw. An attacker could send a single crafted HTTP POST request to achieve Remote Code Execution (RCE) with near 100% success rate.
Affected Versions
| Framework | Vulnerable Versions | Patched Versions |
|---|---|---|
| React (RSC) | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1+ |
| Next.js (App Router) | 14.3.0-canary+, 15.x, 16.x | 15.0.5, 15.1.9, 15.2.6, 15.5.7, 16.0.7 |
| React Router, Waku, Parcel, Vite, RedwoodSDK | Versions using React 19 RSC | Updated with React |
Scale of Impact
- 39% of cloud environments contained vulnerable instances (Wiz data)
- 61% of cloud environments had public-facing Next.js applications
- Multiple attack campaigns emerged within 24 hours of disclosure
- CISA added to Known Exploited Vulnerabilities (KEV) within 2 days
Threat Actors
AWS Threat Intelligence and Google Cloud confirmed that China-nexus cyber threat groups rapidly exploited this vulnerability, deploying multiple backdoors including MINOCAT (tunneler), SNOWLIGHT (downloader), HISONIC/COMPOOD (backdoors), XMRIG (cryptominer), and the Sliver framework for cloud credential harvesting.
Incident 4: Node.js Security Release — 8 CVEs Patched Across All Release Lines
Date: January 13, 2026
| CVE | Severity | Type | Details |
|---|---|---|---|
| CVE-2025-55131 | HIGH | Buffer Memory Leak | Buffer.alloc() may contain leftover data such as tokens or passwords from previous operations |
| CVE-2025-55130 | HIGH | FS Permission Bypass | Symlink paths bypass --allow-fs-read/write restrictions to access files outside allowed scope |
| CVE-2025-59465 | HIGH | HTTP/2 DoS | Malformed HEADERS frame causes Node.js process crash remotely |
| CVE-2025-59466 | MEDIUM | async_hooks Crash | Uncatchable stack overflow |
| CVE-2025-59464 | MEDIUM | TLS Memory Leak | TLS certificate memory leak (Node 24) |
| CVE-2026-21636 | MEDIUM | Unix Socket Bypass | Permission bypass via Unix Domain Socket |
| CVE-2026-21637 | MEDIUM | TLS PSK/ALPN DoS | DoS + File Descriptor leak from TLS callback |
| CVE-2025-55132 | LOW | fs.futimes Bypass | Bypasses read-only permissions |
Incident 5: PackageGate — 6 Zero-Days in npm, pnpm, vlt, and Bun
Date: January 2026
Security firm Koi disclosed 6 zero-day vulnerabilities across all major JavaScript package managers — critically, these flaws undermined the very defenses recommended after Shai-Hulud.
| Package Manager | Vulnerability | Impact |
|---|---|---|
| npm | Git dependency + malicious .npmrc | RCE even with scripts disabled |
| pnpm | Script-disable only applies to build phase | Silent RCE during install |
| vlt | Path traversal in tarball extraction | Arbitrary file writes |
| Bun | Allow-list checks names but not sources | Package spoofing for RCE |
Notably, npm dismissed these issues as "expected behavior", while pnpm, vlt, and Bun released patches.
Why Saeree ERP Was Completely Unaffected
All five incidents share one common factor — they all occurred within the JavaScript/Node.js/npm ecosystem, which Saeree ERP does not use at all.
| Aspect | Attacked Systems | Saeree ERP |
|---|---|---|
| Language | JavaScript / TypeScript | Java (industry standard for 29+ years) |
| Runtime | Node.js | Web Application Server (JBoss) |
| Package Manager | npm / pnpm / Bun | Maven Central (rigorous verification process) |
| Database | N/A | PostgreSQL (most reliable open-source DB) |
| Framework | React, Next.js | Angular + Jersey JAX-RS |
| Total Dependencies | npm: 500+ per project | Maven: tightly controlled, far fewer dependencies |
Why Java + Maven Is More Secure
- Maven Central has rigorous verification — requires domain ownership proof for Group IDs, preventing typosquatting
- No lifecycle scripts — Maven has no preinstall/postinstall mechanism, making Shai-Hulud-style attacks impossible
- Shallower dependency tree — Node.js projects often have 500-1,000+ transitive dependencies, while Java projects have far fewer, dramatically reducing attack surface
- Compile-time type safety — Java catches type errors at compile time, making insecure deserialization vulnerabilities (like React2Shell) easier to detect
- WAF (Web Application Firewall) — Saeree ERP uses WAF protection that has been proven to block 100% of XSS and Prototype Pollution attacks in real-world incidents
Choosing your foundational technology stack is not just about performance or features — it's about long-term security that affects your entire organization's risk profile.
- Saeree ERP Team
Lessons for Organizations — How to Choose Secure Technology
1. Don't Choose Technology Based on Trends
Node.js and npm gained popularity due to ease of access and rapid development speed. But popularity does not equal security. Larger ecosystems mean wider attack surfaces.
2. Assess Supply Chain Risk of Your Technology
- How does the package manager verify publishers?
- Are there auto-executing lifecycle scripts?
- How many dependencies does your project require?
- If one dependency is compromised, what's the blast radius?
3. For ERP/Mission-Critical Systems — Choose "Boring" but Stable Technology
Java may not be as "trendy" as Node.js, but for systems that must run 24/7, handle financial data, and serve hundreds of concurrent users — stability, security, and a verifiable ecosystem matter far more than development speed.
4. Evaluate Your Vendor's Security Standards
- What technology stack do they use? What are the supply chain risks?
- Have they passed OWASP Top 10 testing?
- How do they prevent SQL Injection and XSS?
- Do they have a Disaster Recovery plan?
- What security standards do they follow?
Summary
The 5 months from September 2025 to January 2026 proved that choosing the right technology from the start is one of the most critical decisions for organizational security.
Organizations running Node.js/npm systems had to contend with auditing hundreds of dependencies, multiple emergency patches, unresolved zero-days, and significant incident response costs.
Meanwhile, Saeree ERP, built on Java + PostgreSQL, was completely unaffected — because it was built on technology that has been battle-tested for over 29 years, with a rigorously verified ecosystem designed for mission-critical enterprise systems.
If you'd like to discuss ERP security or learn about Saeree ERP's security measures, feel free to contact our consulting team.
References
- Semgrep — chalk, debug, and color on npm compromised
- Wiz — npm Supply Chain Attack: chalk/debug Impact
- Palo Alto Unit 42 — npm Supply Chain Attack
- Datadog Security Labs — Shai-Hulud 2.0
- Check Point — Shai-Hulud 2.0: Inside the Second Coming
- React Official Blog — Critical Security Vulnerability in RSC
- Rapid7 — React2Shell CVE-2025-55182
- Google Cloud Threat Intelligence — React2Shell Exploitation
- Node.js Official — Security Release January 2026
- Koi — PackageGate: 6 Zero-Days in JavaScript Package Managers
- CISA — Supply Chain Compromise Impacting npm Ecosystem
- AWS Security — China-nexus Exploit React2Shell
