(TLP:CLEAR) Widespread Supply Chain Compromise Impacting npm Ecosystem

Summary: An active and widespread software supply chain attack is currently targeting the Node Package Manager (npm) ecosystem. This novel attack is utilizing a self-replicating worm that security researchers are calling “Shai-Hulud,” which is responsible for the compromise of over 500 software packages. CISA sent an alert on Tuesday to provide guidance in response to the ongoing attack.

Analyst Note: Although this npm supply-chain compromise does not directly target water utilities, it does pose significant indirect supply chain risk to the water sector as well as other critical infrastructure sectors due to the large-scale and ongoing nature of this attack. WaterISAC encourages utilities to review the recommendations provided by CISA, and audit potential dependencies in the software supply chain by checking if any vendor software uses npm/Node.js or JavaScript stacks.

Additional guidance can be found by implementing Fundamental 11: Secure the Supply Chain, from WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities.

Original Source: https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem

Mitigation Recommendations:

• Fundamental 11: Secure the Supply Chain | WaterISAC’s 12 Fundamentals for Water and Wastewater Utilities

Related WaterISAC PIRs: 6, 10, 11, 12