He Who Controls the Tokens Controls the Supply Chain: The New Face of Automated Attacks
From the s1ngularity attack that weaponized AI assistants to the Shai-Hulud worm that automates the entire attack lifecycle — the open-source supply chain is under siege.
The full version of this article was published on Trend Micro Research. Below is a summary of the key findings.
The open-source supply chain is facing a rapidly accelerating threat, evolving from targeted malware to self-propagating worms in a matter of weeks.
First, the ‘s1ngularity’ attack weaponized developers’ own AI assistants, turning local CLI tools into accomplices for harvesting credentials, SSH keys, and crypto wallets at scale.
This was quickly followed by the “Shai-Hulud” worm, a far more dangerous escalation. This worm automates the entire attack lifecycle: it compromises a developer’s environment, uses legitimate security tools to find NPM publishing tokens, and then uses those tokens to infect and republish other packages under the maintainer’s control.
The thumper and the worm: a two-stage escalation
Stage 1: ‘s1ngularity’ weaponizes AI for credential theft
The initial wave began with the compromise of a popular NPM package, deploying the ‘s1ngularity’ malware onto developers’ machines. In a novel approach, the malware hijacked locally installed AI command-line (CLI) tools, such as those for Gemini and Claude. It then programmatically issued prompts commanding the AI assistants to scan the victim’s entire filesystem for credentials, SSH keys, and crypto wallets. This turned the developers’ own productivity tools into powerful, unwitting accomplices for data theft, establishing a new method for harvesting sensitive secrets at scale.
Stage 2: ‘Shai-Hulud’ unleashes an automated worm
Just weeks after the ‘s1ngularity’ attack, the threat escalated dramatically. Leveraging maintainer accounts — likely compromised through separate, widespread phishing campaigns — attackers unleashed “Shai-Hulud,” a self-propagating worm.
This is the final, devastating stage. The worm weaponizes legitimate tools like TruffleHog to find NPM publishing tokens within a compromised environment. It then uses those tokens to automatically infect and republish up to 20 other packages under the maintainer’s control, creating an automated and rapidly spreading supply chain attack that operates without further human intervention.
No one is immune
The compromise of CrowdStrike’s developer packages is a stark reminder that in an automated attack, no one is off-limits. This was not a breach of CrowdStrike’s core Falcon platform or corporate network. It was the result of the worm’s indiscriminate, automated logic. Once a publishing token was compromised, the worm spread as designed. This event powerfully illustrates that in the interconnected open-source world, even the most security-savvy organizations are exposed to systemic supply chain risks.
The path forward in the age of automated attacks
The Shai-Hulud worm is a paradigm shift. Defending against automated, scalable campaigns requires a fundamental change in our security posture.
-
Mandate Phishing-Proof MFA: The era of TOTP-based 2FA is over, as codes can be easily phished. Hardware security keys (FIDO2/WebAuthn) that bind authentication to a physical device are now essential for any developer with publishing rights.
-
Adopt a “Prevention-First” Mindset: Static dependency scanning is not enough because it can’t detect malicious behavior at runtime. We need active protection within our CI/CD pipelines to detect anomalous activity, like a build process suddenly trying to scan the filesystem with trufflehog.
-
Treat Developer Identities as Privileged Access: Developer accounts and their tokens are the new domain admin accounts. They hold the keys to the kingdom — your source code and the ability to publish it. They must be managed with the principles of least privilege and short-lived credentials.
-
Implement Proactive Credential Scanning: Don’t wait for an attack. Integrate tools like TruffleHog into your own development lifecycle. This allows you to find and revoke exposed secrets before they can be weaponized by an attacker who is using the exact same methods.
The age of the automated supply chain attack is here. The question is no longer if we are prepared, but how quickly we can adapt.