Worm propagates through package installations and CI pipelines automatically

critical

securityUpdated Nov 24, 2025(via Exa)

Sources

SHA1-Hulud, npm Supply Chain Incident | Snyksnyk.io

Technologies:

Snyksubject

GitHub ActionsThe root cause of this issue originates in GitHub Actions

JenkinsJenkins metrics correlate with this issue and help confirm diagnosis

GitLab CIGitLab CI metrics correlate with this issue and help confirm diagnosis

How to detect:

The worm's ability to automatically propagate through package installations, CI pipelines, and cloud environments makes each new victim into a platform for further infection, creating exponential spread risk through development infrastructure.

Recommended action:

Isolate affected CI/CD systems immediately. Review CI pipeline execution logs for unexpected package installations. Implement network segmentation between CI/CD and production environments. Enable strict npm package integrity checking. Consider implementing package allowlists. Review and restrict GitHub Actions self-hosted runner permissions. Monitor for unauthorized runner registrations.