Multiple security vendors are warning of a second wave of attacks targeting the npm registry in a manner reminiscent of the Shai-Hulud attack.
Aikido, HelixGuard, Koi Security, Socket, and Wiz report that this new supply chain campaign, called Sha1-Hulud, compromised hundreds of npm packages. The trojanized npm package was uploaded to npm between November 21 and 23, 2025.
Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski said, “This campaign introduces a new variant that executes malicious code during the preinstallation stage, significantly increasing the potential for compromise in build and runtime environments.”
Similar to the Shai-Hulud attack revealed in September 2025, the latest campaign also published stolen secrets on GitHub, this time with the repository description “Sha1-Hulud: The Second Coming.”
Previous waves were characterized by compromising legitimate packages and pushing malicious code designed to use TruffleHog’s credential scanner to search for secrets on developer machines and send them to external servers under the attacker’s control.
Infected variants also have the ability to propagate in a self-replicating manner by republishing themselves to other npm packages owned by the compromised administrator.
In the latest round of attacks, the attackers were found to be adding to a pre-installation script (‘setup_bun.js’) in the package.json file. This script is configured to covertly install or search for the Bun runtime and run a bundled malicious script (‘bun_environment.js’).
The malicious payload performs the following sequence of actions through two different workflows:
It registers the infected machine as a self-hosted runner named ‘SHA1HULUD’ and adds a workflow named .github/workflows/Discussion.yaml. This workflow contains an injection vulnerability and specifically runs on self-hosted runners. An attacker can execute arbitrary commands on an infected machine by opening a discussion in a GitHub repository. Extract the secret defined in the GitHub secrets section and upload it as an artifact. After downloading, delete the workflow to hide the activities.
“When executed, the malware downloads and runs TruffleHog, scans the local machine, and steals sensitive information such as NPM tokens, AWS/GCP/Azure credentials, and environment variables,” Helixuard said.
Wiz says it has discovered over 25,000 affected repositories across approximately 350 unique users, with 1,000 new repositories being continuously added every 30 minutes over the past few hours.
“This campaign continues the trend of NPM supply chain compromises referencing Shai Huld naming and tradecraft, but may involve different actors,” With said. “This threat leverages a compromised maintainer account to publish a trojanized version of a legitimate npm package that executes credential stealing and leaking code during installation.”
Koi Security said the second wave is more aggressive, adding that if authentication or persistence fails, the malware attempts to destroy the victim’s entire home directory. This includes all writable files owned by the current user under their home folder. However, this wiper-like feature is only triggered when the following conditions are met:
Unable to authenticate to GitHub Unable to create GitHub repository Unable to fetch GitHub token Missing npm token
“In other words, if Sha1-Hulud cannot steal credentials, obtain tokens, or secure an exfiltration path, catastrophic data destruction will be the default,” said security researchers Yuval Ronen and Idan Durdikman. “This marks a significant escalation from the first wave, with attacker tactics moving from pure data theft to punitive sabotage.”
To mitigate the risk posed by this threat, organizations are urged to scan all endpoints for the presence of affected packages, immediately remove compromised versions, rotate all credentials, and audit persistence mechanism repositories by checking .github/workflows/ for suspicious files such as shai-hulud-workflow.yml or unexpected branches.
(This is a developing story and will be updated as new details become available.)
Source link
