Unit 42 Maps npm Attack Surface: Wormable Malware, CI/CD Persistence, and Multi-Stage Chains

Unit 42 has published a technical analysis of the npm supply chain attack surface following the Shai-Hulud worm campaign. The research identifies wormable malware capable of propagating across developer environments, CI/CD pipeline persistence techniques that survive package removal, and multi-stage attack chains designed to maximize reach from a single compromised package.

Key practitioner takeaways: audit CI/CD pipeline permissions and artifact store access, ensure package integrity checks (lockfile pinning, provenance attestation) are enforced in build pipelines, and treat any environment that pulled a recently flagged npm package as potentially pivoted rather than simply patched. Shai-Hulud’s worm component means secondary infections in connected repos are a realistic post-compromise scenario.