Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that’s reminiscent of the Shai-Hulud attack.
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, according to reports from Aikido, HelixGuard, JFrog, Koi Security, ReversingLabs, SafeDep, Socket, Step Security, and Wiz. The trojanized npm packages were uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others.
“The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing potential exposure in build and runtime environments,” Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski said.
Like the Shai-Hulud attack that came to light in September 2025, the latest activity also publishes stolen secrets to GitHub, this time with the repository description: “Sha1-Hulud: The Second Coming.”
The prior wave was characterized by the compromise of legitimate packages to push malicious code designed to search developer machines for secrets using TruffleHog’s credential scanner and transmit them to an external server under the attacker’s control.
The infected variants also came with the ability to propagate in a self-replicating manner by re-publishing itself into other npm packages owned by the compromised maintainer.
In the latest set of attacks, the attackers have been found to add to a preinstall script (“setup_bun.js”) in the package.json file, which is configured to stealthily install or locate the Bun runtime and run a bundled malicious script (“bun_environment.js”).
The malicious payload carries out the following sequence of actions through two different workflows –
- Registers the infected machine as a self-hosted runner named “SHA1HULUD” and adds a workflow called .github/workflows/discussion.yaml that contains an injection vulnerability and runs specifically on self-hosted runners, allowing the attacker to run arbitrary commands on the infected machines by opening discussions in the GitHub repository
- Exfiltrates all GitHub Actions secrets and uploads them as an artifact to a file named “actionsSecrets.json” in the exfiltration repositories, after which it’s downloaded to the compromised machine and the workflow is deleted to conceal the activity
“Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables,” Helixuard noted.
The widespread automated replication tied to the campaign has created a huge blast radius, affecting over 27,000 repositories across about 350 unique users, with 1,000 new repositories being added consistently every 30 minutes in the last couple of hours.
The new iteration supports Linux, macOS, and Windows platforms, and facilitates cross-victim exfiltration, where one victim’s secrets are pushed to a public repository owned by a second, unrelated victim. The exfiltrated data is encoded through three layers of Base64-encoding before upload.
Prior to executing the main payload, the malware searches public GitHub repositories for the beacon phrase “Sha1-Hulud: The Second Coming.” If found, it reads a stored file containing a GitHub access token, decodes it, and uses the recovered token as the main credential for exfiltration.
“This makes the malware self-healing – if a victim deletes previous malicious repositories, the attacker can re-seed victims through GitHub search,” the Socket Research Team said.
To automatically propagate the malware, the attack fetches a maximum of 100 packages associated with a valid npm token, injects “setup_bun.js” and “bun_environment.js” into each of them, patches package.json to add the preinstall script, bumps the package versions (x.y.z → x.y.z+1), and publishes them to the repository.
Separately, the malware performs automated credential scraping on all GitHub Actions metadata by searching for any string that starts with “npm_” as a way to poison additional packages.
“This campaign continues the trend of npm supply-chain compromises referencing Shai-Hulud naming and tradecraft, though it may involve different actors,” Wiz said. “The threat leverages compromised maintainer accounts to publish trojanized versions of legitimate npm packages that execute credential theft and exfiltration code during installation.”
Koi Security called the second wave a lot more aggressive, adding that the malware attempts to destroy the victim’s entire home directory if it fails to authenticate or establish persistence. This includes every writable file owned by the current user under their home folder. However, this wiper-like functionality is triggered only when the following conditions are satisfied –
- It cannot authenticate to GitHub
- It cannot create a GitHub repository
- It cannot fetch a GitHub token
- It cannot find an npm token
“In other words, if Sha1-Hulud is unable to steal credentials, obtain tokens, or secure any exfiltration channel, it defaults to catastrophic data destruction,” security researchers Yuval Ronen and Idan Dardikman said. “This marks a significant escalation from the first wave, shifting the actor’s tactics from purely data-theft to punitive sabotage.”
The malware has also been found to obtain root privileges on Linux machines by executing a Docker command that mounts the host’s root filesystem into a privileged container with the goal of copying a malicious sudoers file, granting the attacker passwordless root access to the compromised user.
To mitigate the risk posed by the threat, organizations are being urged to scan all endpoints for the presence of impacted packages, remove compromised versions with immediate effect, rotate all credentials, and audit repositories for persistence mechanisms by reviewing .github/workflows/ for suspicious files such as shai-hulud-workflow.yml or unexpected branches.
“The Shai-Hulud 2.0 campaign represents a critical and highly aggressive escalation in software supply chain attacks, moving beyond its predecessor’s methods by changing the point of infection,” Justin Moore, senior manager of Threat Intel Research at Palo Alto Networks Unit 42, said.
“By targeting the pre-install phase of software dependencies, the malware achieves two significant breakthroughs: it completely eliminates the need for human interaction, guaranteeing execution on virtually every build server processing the infected package, and it effectively bypasses static scanning tools that inspect code during later build stages.”
“The more nefarious threat is the embedded scorched earth’ contingency payload. If Shai-Hulud 2.0 fails to exfiltrate credentials, it executes a fail-safe that attempts to irrevocably destroy the victim’s entire home directory, escalating the attack from simple espionage into a guaranteed, highly disruptive denial-of-service event.”
