WEBINAR
2026 Forecast: 5 New Trends, 3 Old Risks, & 1 Big Surprise
Register Now
WEBINAR
2026 Forecast: 5 New Trends, 3 Old Risks, & 1 Big Surprise
Register Now

Security Update: Cobalt on the Shai-Hulud npm Supply-Chain Compromise

Nov 24, 2025
Est Read Time: 2 min
Sonali Shah

On November 24, 2025, the security community disclosed a large-scale Shai-Hulud supply-chain campaign targeting npm (Node Package Manager) ecosystem. Researchers have identified more than 500 trojanized packages and over 26,000+ automatically generated GitHub repositories created to store stolen developer and CI/CD secrets. Because of the rapid propagation across the ecosystem, many organizations, both large and small, have been impacted. 

As part of this industry-wide incident, a small number of secondary Cobalt repositories have since been identified as part of this campaign. 

Cobalt has a culture of transparency and a commitment to sharing lessons with the broader security community. That is why we want to explain what happened, what we saw in our environment, and the steps we took to contain and investigate the incident.

We also want to be clear about one key point upfront: at this time, we have found no evidence that customer data, customer environments, or production systems have been accessed or impacted.

What Happened

Shai-Hulud is a malware campaign that targets the software supply chain by publishing trojanized versions of popular npm packages. These packages contain malicious pre-install scripts that attempt to collect secrets from developer machines and CI/CD environments and then post them to attacker-controlled GitHub repositories.

In our case:

  • A subset of development resources at Cobalt interacted with npm packages that have since been linked to the Shai-Hulud campaign.
  • The malicious logic was designed to execute during install or pre-install stages, with the goal of harvesting tokens and environment secrets.
  • Once the campaign came to light in the broader ecosystem, we began a focused review of logs, build pipelines, and repository activity tied to these packages.

We treat any indication of supply-chain compromise as a serious event, even when there is no confirmed impact to production systems or customer data.

How We Detected and Contained It

Our internal monitoring detected unusual activity associated with a portion of the development environment that interacts with npm packages. In parallel, community disclosures about Shai-Hulud provided additional information for us to act on.

In response, we:

  • Initiated a precautionary incident investigation focused on npm-related activity and code repositories that may have consumed affected packages.
  • Activated our security protocols and incident response playbook for supply-chain events.
  • Rotated relevant keys and credentials, including npm, GitHub, CI/CD, and cloud-related secrets tied to the affected environment.
  • Increased monitoring and detection around code repositories, build systems, and authentication flows, including tighter alerts on unusual repository activity and token usage.
  • Validated segmentation and access controls between development systems and production infrastructure.

At this time, our investigation supports the conclusion that the incident was contained to a limited part of the development environment and did not impact customer environments or production services.

What We Know Today

Based on our investigation to date:

  • We have found no evidence that customer data, customer environments, or production systems have been accessed or impacted.
  • We have not observed successful lateral movement from development systems into production or customer-facing environments.
  • We have rotated secrets and hardened controls around systems that could have interacted with malicious packages.
  • Cobalt services are operating normally, and we do not anticipate service disruption as a result of this incident.

The investigation remains ongoing. If new information emerges that changes this assessment, we will update customers and partners promptly.

Moving Forward

Cobalt will continue to investigate this incident with diligence and transparency. Because this is an ecosystem-wide attack, we will also share insights and emerging best practices with customers and the broader community to help reduce risk across the supply chain.

If we identify additional information that affects customers or partners, we will communicate directly. In the meantime, if you have questions about this event or about strengthening your own supply-chain security posture, please contact our security team at security@cobalt.io.
Back to Blog
About Sonali Shah
Sonal Shah joined Cobalt as CEO in August 2024. She joined us after serving on the company’s Board of Directors. She is a seasoned business leader and product visionary with more than 20 years of experience scaling high-growth businesses across the cybersecurity landscape. Shah holds an MBA from Wharton and a Masters in Economics from the London School of Economics. More By Sonali Shah

Related readings

see more

Never miss a story

Stay updated about Cobalt news as it happens