← Threat Library
critical self propagating worm mcpnpm
Shai-Hulud
Self-replicating npm worm (Sept 2025, plus v2.0 Nov 2025 and Mini Shai-Hulud May 2026). Used TruffleHog to steal cloud/AI credentials; later waves explicitly targeted Claude Code / MCP config files.
Disclosed September 15, 2025
Blast radius hundreds of npm packages
Status remediated
Overview
Shai-Hulud is a self-replicating worm in the npm ecosystem. It spreads through cascading compromise of maintainer accounts, runs TruffleHog to harvest 800+ secret types, and exfiltrates to attacker-created GitHub repos. The MCP tie-in: mcp-knowledge-base was compromised, and Mini Shai-Hulud (May 2026) harvested ~/.claude.json and ~/.claude/mcp.json.
IOC note
ReversingLabs published per-version SHA1 tarball hashes (npm dist.shasum). These identify npm packages, not browser/IDE extensions, and the malicious versions have been purged from npm — search the hash on VirusTotal/MalwareBazaar to retrieve a captured copy.
Affected extensions (3)
| Name | Store | ID | Malicious version | Archived |
|---|---|---|---|---|
| mcp-knowledge-base | mcp | mcp-knowledge-base | 0.0.2 | no |
| @ctrl/tinycolor | npm | @ctrl/tinycolor | 4.1.1 | no |
| rxnt-authentication | npm | rxnt-authentication | 0.0.3 | no |
Indicators of compromise (129)
| sha1 | 5a87d68716cf9d99ec90835d623559bead2a76d3 | [email protected] | |
| sha1 | fab6e4df7b80943ae29bb7b4edd003470da6627e | [email protected] | |
| sha1 | b65a8f02bcc425e9f43f44c4062e57a7ed0bb4ac | [email protected] | |
| sha1 | a134cb5a9c3187c7e2419ce5981bc8365cfbb1d7 | [email protected] | |
| sha1 | edca8792f335b64b6929ef08b5d9bf812cc9ce77 | [email protected] | |
| sha1 | 88a1b7b4dfe55bfcf33ee73520506596c3b11f05 | [email protected] | |
| sha1 | 4dc5ee4c3152541d892944c7599b81c8d6b1afd6 | [email protected] | |
| sha1 | cefb886c65d58dec552d217bf2e6bbfff900a067 | [email protected] | |
| sha1 | 0ed8d9cad44182c5e0867c105fb1dcb4b559a87f | [email protected] | |
| sha1 | ec85986413119e60684a99f3100c9d481cfdf08c | [email protected] | |
| sha1 | 287a71e7df71b6c1cc10d51a4c18f8a1ce23cba0 | [email protected] | |
| sha1 | 48932e2c66fb9fd103cdd2a4c0bfb77483061511 | [email protected] | |
| sha1 | f1c23c1e76acbd07591e4708bc2f2768a9f754f2 | [email protected] | |
| sha1 | 5ce815ae8dfdb07fb5ebbc50643410e5f63daa2a | [email protected] | |
| sha1 | caf629df8ec99ba641873e887a9d3e17bb2e040c | [email protected] | |
| sha1 | 99db340e5444f15bcafe0888122e12776ee353be | [email protected] | |
| sha1 | 7c1454a3907079182ce7441def94f21e7e3fb554 | [email protected] | |
| sha1 | 967bcd5cf05a814b9e14895183fe1e00fe06c8fd | [email protected] | |
| sha1 | c7d64660cd39ab9ae3a57cb2c9bbf7a89cf559c7 | [email protected] | |
| sha1 | 2ad5fdb982e406b6817225f0a4edf30262a8ed3a | [email protected] | |
| sha1 | c86e40c248604f06e220675de5ea0af17711fc66 | [email protected] | |
| sha1 | cb81069ef7b290660f9f640a56cfab33bd5764df | [email protected] | |
| sha1 | 4c65f7bf4974a2892e2867dad270777cc1b1f0e0 | [email protected] | |
| sha1 | c5012da7a0588bf39f4666a83ce43e11f70eb655 | [email protected] | |
| sha1 | 0c708c8b4d02903233ce1d3913353e4ab9e33ce9 | [email protected] | |
| sha1 | 8b5f31b22ac158f488179c49e718043e6bef25ef | [email protected] | |
| sha1 | 8960070bcf368cb548f80756e22170836028897d | [email protected] | |
| sha1 | 05307d8af5bea87f5ec60aaadcdd7be5a0f2e3fd | [email protected] | |
| sha1 | cab67ca4f2051efb640e5b73b5faea6c2b7af4a1 | [email protected] | |
| sha1 | dcea1fdaa6621072fed6962e3461e18c22f7261d | [email protected] | |
| sha1 | 1b6704faf237f65c83e1856c1c5f6efa9ec0e9ab | [email protected] | |
| sha1 | 9dd491b1b2faa10419198cadc25d0b30d46acba2 | [email protected] | |
| sha1 | 8b9873af85a6f4a5ab24d76dd97dc3fa83a53dd6 | [email protected] | |
| sha1 | 757255f78f024ef955de52d63156a56e0a91398b | [email protected] | |
| sha1 | b7ba4864a1aab4ba632c9c0fe1fcdc2fb0c268c8 | [email protected] | |
| sha1 | f1db81c622e9264c7808010fd2eaa585f8766335 | [email protected] | |
| sha1 | a9bd726a1c567cbf8be371de175298c2ba10b19b | [email protected] | |
| sha1 | 331c874a34747ac27a0caa5469474f552b0189f3 | [email protected] | |
| sha1 | 74de479293d9a47cce99c13f25e15103d40fbd0f | [email protected] | |
| sha1 | 899c7632dfc1db4917416ab42a3b66c220728b20 | [email protected] | |
| sha1 | 59e3b10efec96f31c90a15d0b3cdb3c3a3474ed4 | [email protected] | |
| sha1 | 70e30ebb44489fca86d9ddc6f85c3cbb54f3bbbc | [email protected] | |
| sha1 | 5cf876f82760193d2d068f3c5e1a24c7138002b1 | @teselagen/[email protected] | |
| sha1 | bb5d7c3f23e1b5218f7a718f0a627cd0e897f39a | @teselagen/[email protected] | |
| sha1 | 79d8b13567743aa842225f1d4a1a91fe3a1f3af8 | @teselagen/[email protected] | |
| sha1 | 9b9a438091a5647e4ceb336fea424a384756183e | @teselagen/[email protected] | |
| sha1 | 40b9aa9f98dc6073e04a56fd9d3596e4abefc596 | @teselagen/[email protected] | |
| sha1 | eab6be69fbc87987a64474f67c237c728d792a70 | @teselagen/[email protected] | |
| sha1 | bcf8527ac58d7409c7330c617330cc136eb819f1 | @teselagen/[email protected] | |
| sha1 | 1a510a951e0fc186b99e313d94ab6ab72a6cd9d0 | @teselagen/[email protected] | |
| sha1 | 038aea646659592778a4ea13b3dcab6e1f3ca32d | @teselagen/[email protected] | |
| sha1 | d8c0d20a17951f0b8a85c7cf5400d98841e17de6 | @teselagen/[email protected] | |
| sha1 | 32547a2862896cb2f96ac23284fc5e979f0e2414 | @teselagen/[email protected] | |
| sha1 | fd1dd0aee3ccb7fabd751e8a3d3ba99c493391bd | @teselagen/[email protected] | |
| sha1 | c8ae5c76dc5837e18736678e928357a575a28a9f | @teselagen/[email protected] | |
| sha1 | 7299b1adfe9f49d9f9caa14e8765c9ffe7cdd35b | @teselagen/[email protected] | |
| sha1 | a28500d7adbb44e9fb29cb64401077ccfa2725ea | @teselagen/[email protected] | |
| sha1 | 877569099a6509ace5e120c0109b5da7f7a2282f | @teselagen/[email protected] | |
| sha1 | 066b0294e11a90cfcb11dad16f3d5557712c7ebd | @teselagen/[email protected] | |
| sha1 | 27ae0e090fb441ef2da0e955f66c4f434f1368a7 | @teselagen/[email protected] | |
| sha1 | 68e74c4250af9845f3c193b74e91124f2888de50 | [email protected] | |
| sha1 | 640376c96617c1845378137b7a1d9cb74928ba20 | [email protected] | |
| sha1 | 933d64001fc0459dae8a0449e08c662c734a6f0b | [email protected] | |
| sha1 | c2f0cc5734af74e244ff7ac34ea45387d813a22d | [email protected] | |
| sha1 | a87cbf0a4cefbce50aa699641df2b61a833bca97 | [email protected] | |
| sha1 | a28a7b4cd232a7935fdf9495b439a8d54ececbc6 | [email protected] | |
| sha1 | e7d43606eb9fa18f4996db691f2086541b9bd3f4 | [email protected] | |
| sha1 | 0490214387616c1265447752310136352545831e | [email protected] | |
| sha1 | 9459764f29b525e068c890663c79ec7ef81e9496 | [email protected] | |
| sha1 | 602a9c12e35b78e0608a163495b5bddb5c2dc0fe | [email protected] | |
| sha1 | d36e5dd827d1b316e641a28bd4d1fb74b209d6f4 | [email protected] | |
| sha1 | b0fec9e0e1855df3f154f021489848087b5f8762 | [email protected] | |
| sha1 | 711cfa0503a965e901a943798923bd5a181eda67 | [email protected] | |
| sha1 | 4c6aaae6c2f7e6b34e72a35f19ba686a6df76660 | [email protected] | |
| sha1 | dc3c63c58f1f1fa2117b1657114b5d7e4c44c850 | [email protected] | |
| sha1 | 3c5b060c1a124123a7480cd57d9db98b52a638c3 | [email protected] | |
| sha1 | d9f7f7f88fbc8094b721968d150af696913fa590 | [email protected] | |
| sha1 | 953dc4903d8a08f21d0a7cf49f01a1fe9f219434 | [email protected] | |
| sha1 | 18e323f15332a80e13037cf71fc632b4a7c79b27 | [email protected] | |
| sha1 | d3eaea409b77c9497adbf544563a2abb197f1d95 | [email protected] | |
| sha1 | ddbf3395f4d584e2a788b15061e85c2d17fb1509 | [email protected] | |
| sha1 | badf1b89443fc68e1369dd753eaeaac784e9df1b | [email protected] | |
| sha1 | 17b464cbf81e074aaed24eb87c02d567f56dcfce | [email protected] | |
| sha1 | d02f0f2ea5c9b1c29e5f6aae4fa0677f99b03cde | [email protected] | |
| sha1 | c68054201d511f2135750edaef49958b4587267f | [email protected] | |
| sha1 | 317c491606e651a49db9873aed3a25fe2d7b9d6f | [email protected] | |
| sha1 | f1501a45e6ac7d1e95c8a6ef9f192583b6d91a56 | [email protected] | |
| sha1 | 897513887c92230ff0244cd51cd8f29664df28a5 | [email protected] | |
| sha1 | f1a932205d020c521ea52de4159d5d340cdb7fcc | [email protected] | |
| sha1 | 0f2d98464cdaa2211a27977596c0c0652862302a | [email protected] | |
| sha1 | 784dac6eae8261e32152f667286dc38e53b1bbcd | [email protected] | |
| sha1 | 527b3bbcbb86e88a2f51199bc21e12aec19bbb62 | [email protected] | |
| sha1 | cc7371ec3fc1ad9a62cb246e5885f13edf5fdeca | @ctrl/[email protected] | |
| sha1 | 087e06ddade4a3a91292f550173f8470c49b5c36 | @ctrl/[email protected] | |
| sha1 | b64401062ed84bacab8d6de8d6865d05978cd713 | @ctrl/[email protected] | |
| sha1 | 61a401e669a33cbd38ca717fda0e6bb86665e9bf | @ctrl/[email protected] | |
| sha1 | 2eaf147ef0a371050f3f1cec559ab9d2862036ae | @ctrl/[email protected] | |
| sha1 | aea3cb5108e29c7869890012d06a7396a8b29ec3 | @ctrl/[email protected] | |
| sha1 | a5e233a8801faec95d35a703c0ca701e95048b35 | @ctrl/[email protected] | |
| sha1 | 3563ab863a9df12638c628b00c36ca2acee6e547 | @ctrl/[email protected] | |
| sha1 | 48f74f6af4a5932945b41479c734560ace278999 | @ctrl/[email protected] | |
| sha1 | c4a7f650aa3281fbb8c518eeb5254929e00a3651 | @ctrl/[email protected] | |
| sha1 | 1f86a2dd3636c1b3f6754bc8ad760c1154a8eeee | @ctrl/[email protected] | |
| sha1 | d93c8c3688745239be212f87df64edb7e2284910 | @ctrl/[email protected] | |
| sha1 | 8820c2a858b73c91eb9567355dba4b6911bb2eed | @ctrl/[email protected] | |
| sha1 | 6f6b53f38e2e1880ed82810dc5fce39cdd942155 | @ctrl/[email protected] | |
| sha1 | cd11335d66bed36e237b91ed2bc1b8ac0dc3c560 | @ctrl/[email protected] | |
| sha1 | 4223c5eb6d4d8b757e8be054c56417611d47098e | @ctrl/[email protected] | |
| sha1 | d7e800c37d67d878149fc7a6fb1569a654f928e5 | @ctrl/[email protected] | |
| sha1 | cc289cc72e44d3863d4d099bc1a597fec17821c2 | @ctrl/[email protected] | |
| sha1 | 35187a7ee832909f901a713be277bb636692f422 | @ctrl/[email protected] | |
| sha1 | ef42322bb763f24d44c9594c43812aa18c99dfe3 | @ctrl/[email protected] | |
| sha1 | 31a8730a11fc6cbf1bbdd216d7053949e908c50f | @ctrl/[email protected] | |
| sha1 | ffd87620395edb43ae3f51bc7b5852e575627721 | @ctrl/[email protected] | |
| sha1 | c9011fb8316e2cc639099643d42909aa32f5f85b | @ctrl/[email protected] | |
| sha1 | d64d6c775c37bf4c1a19c5ec9354f9caff435eaf | @ctrl/[email protected] | |
| sha1 | b6003fe43666d12f190d51f5279c44c480dd63e6 | @ctrl/[email protected] | |
| sha1 | eb901ee6b02a6ce51786241e300a30f82eae6dc5 | @ctrl/[email protected] | |
| sha1 | 93fe3f8a055b4d4000b95c8eecb029293bf6912f | @ctrl/[email protected] | |
| sha1 | 62092c345d57fe75256d0e2d1d0b694c8bc51bbf | [email protected] | |
| sha1 | 3ab7860deb3bde7a324c12cbbeb5532442f56709 | [email protected] | |
| sha1 | 932608d1ce4a27c9ee27ff94d68a0b511470eabb | [email protected] | |
| sha1 | 4e5e70b023b5d8f0983ba69d2fa2788b86df6d54 | [email protected] | |
| sha1 | 382b2e158f2f6a2efc70513bf8c7879715bf908a | [email protected] | |
| sha1 | 893f7d22e9e2a9f50ae583522bcace960a706a04 | [email protected] | |
| sha1 | 8649b99dd099a48c433f9f3eaafa4f7a70d01816 | [email protected] | |
| sha1 | 1d37200f4644190a94df00cfec8c48bce74691ba | [email protected] | |
| sha1 | 546d6a18e2f8b4a7229a25afc0c6bb22df008715 | [email protected] | |
| sha1 | 931b4da27e51406a0b49fd547b219dbaf69f3351 | [email protected] |