The JavaScript community is grappling with a new software supply-chain attack: a malware dubbed Shai-Hulud has poisoned hundreds of packages in the npm registry. This malicious campaign – referred to by its authors as “Sha1-Hulud: The Second Coming” – exceeds the scale of the worm’s first appearance in September 2025. Over the span of a few days, more than 800 npm packages were published with backdoored versions via hijacked maintainer accounts, including many widely-used libraries (for example, Zapier’s official SDKs, ENS Domains modules, PostHog plugins, Postman and AsyncAPI tools, etc.).
The compromised packages execute code that steals developer secrets (API keys, GitHub/NPM tokens, cloud credentials, etc.) and exfiltrates them to public GitHub repositories created by the malware. In total, roughly 27,000 such GitHub repositories were generated to host the stolen data. GitHub is working to remove these malicious repos as they appear, but the attackers are creating new ones at a rapid pace.
Attack Timeline and Background
Shai-Hulud initially emerged in mid-September 2025 as a self-replicating worm targeting the Node.js ecosystem. The first wave compromised 187 npm packages by injecting a malicious module that could scan developer machines for secrets (using the TruffleHog tool) and publish anything found to an external repository. The threat actor automated this spread by downloading popular legitimate packages, adding a malicious install script to the package.json, and republishing them to npm under compromised maintainer accounts.
On November 24, 2025, researchers at Aikido Security discovered a new surge of npm infections exhibiting Shai-Hulud indicators. Initially around 105 packages were identified as trojanized, but this count quickly rose to 492 (unique package names) within hours. The attack grew exponentially: in the end, over 25,000 malicious package versions were pushed to npm in this second wave, across roughly 350 compromised maintainer accounts. Notably, this flare-up occurred just as npm was preparing to tighten its platform security by revoking legacy authentication tokens on December 9, 2025 – a deadline the attackers evidently seized upon to strike before those protections took effect.
Attack Chain and Malware Capabilities
The “Sha1-Hulud: The Second Coming” variant employs a sophisticated attack chain triggered during package installation (via the preinstall script). According to StepSecurity’s analysis, the malware executes a sequence of five stages during the install process:
- Stage 1 – Initial infection (Bun dropper): The compromised package’s preinstall triggers a dropper script named setup_bun.js. This script checks for the presence of the Bun runtime on the system. If Bun is not installed, the dropper silently downloads and installs it using the official installer script (e.g. running curl https://bun.sh/install | bash). The dropper then reloads the updated PATH and executes the main payload by invoking the Bun binary on the file bun_environment.js included in the malicious package.
- Stage 2 – Loading the malicious payload: The bun_environment.js file contains the core of the malware. It is extremely obfuscated (over 10 MB of code comprising massive hex-encoded string arrays, anti-analysis loops performing millions of operations, and heavily disguised string-reconstruction functions). Upon execution, the code first checks its context: on a Continuous Integration (CI/CD) runner, it proceeds immediately to data exfiltration; on a developer’s local machine, it forks itself into the background to delay malicious activity. In practice, the original install process exits right away (preserving the appearance of a normal npm install), while a hidden child process continues a few seconds later to carry out the subsequent stages.
- Stage 3 – Secret collection and exfiltration: The malware gathers extensive information from the infected system (OS, architecture, hostname, user, environment variables, etc.). It searches for and extracts any available sensitive credentials: the user’s GitHub token (reusing an existing login or stored credential if found), an npm token (if present in the ~/.npmrc file), as well as cloud platform secrets – for example, it attempts to query AWS Secrets Manager, Google Cloud Secret Manager, and Azure Key Vault via their APIs (assuming the machine has valid access rights/credentials to those services). The malware also downloads and runs TruffleHog to scan the local project for any hard-coded keys or secrets. All gathered data is then exfiltrated to GitHub: the malware uses the GitHub API to create a new public repository under the victim’s account (with a random name and the description “Sha1-Hulud: The Second Coming”), and uploads multiple JSON files containing the stolen information (e.g. cloud.json, content.json, environment.json, truffleSecrets.json). These exfiltration requests leverage the victim’s own GitHub token, making them appear as legitimate user activity and thereby evading typical detections (secret scanners, egress filters).
- Stage 4 – Persistence and privilege escalation: To maintain access, Shai-Hulud installs a backdoor in the victim’s environment. It first registers the infected machine as a self-hosted GitHub Actions runner (named “SHA1HULUD”) and creates a malicious Actions workflow in the GitHub repository (.github/workflows/discussion.yaml) designed to enable remote code execution. This workflow triggers on new Discussion events and contains a command-injection vulnerability: in essence, if the attacker opens a discussion on the repo with a specially crafted comment, the compromised runner will execute that content on the victim machine, granting the attacker remote code execution at a later time. In parallel, the malware attempts to escalate privileges on the local host: if Docker is available (and the user has permission to use it), the malware runs a container that mounts the host filesystem and inserts a malicious entry into the system’s sudoers configuration. This grants the attacker password-less root access on the compromised machine, ensuring persistent full control even if the initial user account lacked administrative rights.
- Stage 5 – Conditional destruction: If certain exfiltration/persistence conditions are not met, the malware activates a destructive routine as a “fallback” or punitive measure. If no valid GitHub or npm token could be obtained and the malware failed to create its GitHub repo (i.e. if all attempts to steal credentials and establish persistence were thwarted), Shai-Hulud will wipe the victim’s data. On Linux systems, for example, it executes a command to securely delete all files in the user’s home directory (using shred to overwrite file contents). This wiper-like functionality only triggers in the scenario where exfiltration is completely blocked, but it represents a sharp escalation from the first wave of the malware – shifting from pure data theft to outright sabotage if the attacker cannot steal any data.
Impact and Response
The incident has affected a wide range of projects in the Node.js ecosystem. In the initial list of 186 compromised packages compiled by Aikido, many modules from Zapier, ENS Domains, PostHog, AsyncAPI, as well as tools related to Postman were present. Some of these packages are highly significant: for example, the ENS Domains libraries are used by cryptocurrency wallets, DApps, and the ENS Manager app for handling .eth domain names (resolving them to Ethereum addresses, linking IPFS content, etc.), and Zapier’s SDKs are essential for building integrations on the popular automation platform. In total, the ~492 packages confirmed as infected in November account for 132 million combined downloads per month on npm – illustrating the potentially massive reach of this supply-chain compromise.
In response to the threat, GitHub and npm have taken action. The npm registry has flagged certain packages as compromised, displaying a warning about “unauthorized” publication on the latest malware-tainted version. GitHub, for its part, has been actively deleting the thousands of public repositories created by the malware, although the attacker was creating new ones almost as quickly. Security teams are urging affected developers and organizations to immediately revoke all exposed tokens and credentials (for GitHub, npm, AWS, GCP, Azure, etc.), replace the corrupted packages with clean versions, and audit their repositories for any malicious workflows or access points left behind by the attack. The return of Shai-Hulud comes at a time when GitHub is just beginning to roll out additional safeguards to protect the npm supply chain after previous attacks – a gradual process that underscores the ongoing challenge of countering this kind of sophisticated threat.
Sources
- BleepingComputer – Bill Toulas (24 Nov 2025): “Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub”
- Koi Security – Yuval Ronen & Idan Dardikman (24 Nov 2025): “Live Updates: Sha1-Hulud, The Second Coming – Hundreds of NPM Packages Compromised”
- Step Security – Ashish Kurmi (23 Nov 2025): “Sha1-Hulud: The Second Coming – Zapier, ENS Domains, and Other Prominent NPM Packages Compromised”
- Aikido Security – Charlie Eriksen (24 Nov 2025): “Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised”
- Wiz Research (24 Nov 2025): “Shai-Hulud 2.0 Supply Chain Attack: 25K+ npm Repos Exposed”
- The Hacker News – Ravie Lakshmanan (24 Nov 2025): “Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft”
