Nov 24, 2025Ravie LakshmananCloud Safety / Vulnerability
A number of safety distributors are sounding the alarm a couple of second wave of assaults concentrating on the npm registry in a way that is paying homage to the Shai-Hulud assault.
The brand new provide chain marketing campaign, dubbed Sha1-Hulud, has compromised a whole lot of npm packages, in response to reviews from Aikido, HelixGuard, Koi Safety, Socket, and Wiz.
“The marketing campaign introduces a brand new variant that executes malicious code throughout the preinstall part, considerably rising potential publicity in construct and runtime environments,” Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski mentioned.
Just like the Shai-Hulud assault that got here to gentle in September 2025, the newest exercise additionally publishes stolen secrets and techniques to GitHub, this time with the repository description: “Sha1-Hulud: The Second Coming.”
The prior wave was characterised by the compromise of respectable packages to push malicious code designed to go looking developer machines for secrets and techniques utilizing TruffleHog’s credential scanner and transmit them to an exterior server below the attacker’s management.
The contaminated variants additionally got here with the flexibility to propagate in a self-replicating method by re-publishing itself into different npm packages owned by the compromised maintainer.
Within the newest set of assaults, the attackers have been discovered so as to add to a preinstall script (“setup_bun.js”) within the bundle.json file, which is configured to stealthily set up or find the Bun runtime and run a bundled malicious script (“bun_environment.js”).
The malicious payload carries out the next sequence of actions by means of two completely different workflows –
Registers the contaminated machine as a self-hosted runner named “SHA1HULUD” and provides a workflow referred to as .github/workflows/dialogue.yaml that incorporates an injection vulnerability and runs particularly on self-hosted runners, permitting the attacker to run arbitrary instructions on the contaminated machines by opening discussions within the GitHub repository
Exfiltrates secrets and techniques outlined within the GitHub secrets and techniques part and uploads them as an artifact, after which it is downloaded, adopted by deleting the workflow to hide the exercise.
“Upon execution, the malware downloads and runs TruffleHog to scan the native machine, stealing delicate data corresponding to NPM Tokens, AWS/GCP/Azure credentials, and surroundings variables,” Helixuard famous.
Wiz mentioned it noticed over 25,000 affected repositories throughout about 350 distinctive customers, with 1,000 new repositories being added persistently each half-hour within the final couple of hours.
“This marketing campaign continues the pattern of npm supply-chain compromises referencing Shai-Hulud naming and tradecraft, although it might contain completely different actors,” Wiz mentioned. “The menace leverages compromised maintainer accounts to publish trojanized variations of respectable npm packages that execute credential theft and exfiltration code throughout set up.”
Koi Safety referred to as the second wave much more aggressive, including that the malware makes an attempt to destroy the sufferer’s complete residence listing if it fails to authenticate or set up persistence. This consists of each writable file owned by the present consumer below their residence folder. Nevertheless, this wiper-like performance is triggered solely when the next circumstances are glad –
It can not authenticate to GitHub
It can not create a GitHub repository
It can not fetch a GitHub token
It can not discover an npm token
“In different phrases, if Sha1-Hulud is unable to steal credentials, receive tokens, or safe any exfiltration channel, it defaults to catastrophic information destruction,” safety researchers Yuval Ronen and Idan Dardikman mentioned. “This marks a major escalation from the primary wave, shifting the actor’s techniques from purely data-theft to punitive sabotage.”
To mitigate the danger posed by the menace, organizations are being urged to scan all endpoints for the presence of impacted packages, take away compromised variations with quick impact, rotate all credentials, and audit repositories for persistence mechanisms by reviewing .github/workflows/ for suspicious information corresponding to shai-hulud-workflow.yml or sudden branches.
(It is a growing story and will probably be up to date as new particulars emerge.)
