GMS-2025-498: kill-port contains malware after npm account takeover

November 25, 2025 (updated December 2, 2025)

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to previous versions.

References

about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
socket.dev/blog/shai-hulud-strikes-again-v2
www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

Code Behaviors & Features

Detect and mitigate GMS-2025-498 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →