AWS blocked 150K malicious npm packages in 2025

When 150,000 malicious npm packages hit the registry in late October, AWS Security didn't panic. They moved.

Over the past few months, three major campaigns targeted open-source developers: the Nx compromise (August), Shai-Hulud worm (September), and a token-farming attack (October–November). Each one taught them something new. Each response got faster.

The timeline matters:

Nx compromise: 30 minutes to incident command. Shai-Hulud: 7 minutes to response. Tea token farming: 150,000 packages detected and registered with OpenSSF within 30 minutes per detection.

What made the difference? Behavioral monitoring. Cross-referencing intelligence. Layered defenses. AI-assisted analysis of obfuscated code. And yes, learning from each incident to catch the next one faster.

The worms were sophisticated. Shai-Hulud didn't just steal credentials—it self-propagated through postinstall scripts, manipulated GitHub workflows, and spread like a virus through trusted packages. Nx tried to exploit GenAI tools. The token-farming campaign went after Tea tokens in the open-source economy.

But here's what AWS learned: these attacks follow patterns. Credential harvesting. Trust exploitation. Massive scale. Evasion techniques. Once you see the pattern, you can build defenses around it.

What you should do right now:

Continuous monitoring with Amazon Inspector and Security Hub. Layered protection—GuardDuty, CloudTrail, Network Firewall. Keep a full inventory of your dependencies, including transitive ones. Report suspicious packages. Share threat intel. Participate in collective defense.

Supply chain attacks aren't slowing down. They're getting smarter. But so is AWS Security. And they're sharing what they learned so you can protect your stack too.

Read the full incident response breakdown on the AWS Security blog. Details matter when your dependencies are under attack.