A number of security distributors are sounding the alarm a couple of second wave of assaults concentrating on the npm registry in a way that is harking back to the Shai-Hulud assault.
The brand new provide chain marketing campaign, dubbed Sha1-Hulud, has compromised tons of of npm packages, based on stories from Aikido, HelixGuard, Koi Safety, Socket, Step Safety, and Wiz. The trojanized npm packages had been uploaded to npm between November 21 and 23, 2025.
“The marketing campaign introduces a brand new variant that executes malicious code in the course of the preinstall section, considerably rising potential publicity in construct and runtime environments,” Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski mentioned.
Just like the Shai-Hulud assault that got here to gentle in September 2025, the newest exercise additionally publishes stolen secrets and techniques to GitHub, this time with the repository description: “Sha1-Hulud: The Second Coming.”
The prior wave was characterised by the compromise of authentic packages to push malicious code designed to go looking developer machines for secrets and techniques utilizing TruffleHog’s credential scanner and transmit them to an exterior server beneath the attacker’s management.
The contaminated variants additionally got here with the flexibility to propagate in a self-replicating method by re-publishing itself into different npm packages owned by the compromised maintainer.
Within the newest set of assaults, the attackers have been discovered so as to add to a preinstall script (“setup_bun.js”) within the bundle.json file, which is configured to stealthily set up or find the Bun runtime and run a bundled malicious script (“bun_environment.js”).
The malicious payload carries out the next sequence of actions by means of two totally different workflows –
- Registers the contaminated machine as a self-hosted runner named “SHA1HULUD” and provides a workflow referred to as .github/workflows/dialogue.yaml that accommodates an injection vulnerability and runs particularly on self-hosted runners, permitting the attacker to run arbitrary instructions on the contaminated machines by opening discussions within the GitHub repository
- Exfiltrates all secrets and techniques outlined within the GitHub secrets and techniques part and uploads them as an artifact to a file named “actionsSecrets.json” within the exfiltration repositories, after which it is downloaded to the compromised machine and the workflow is deleted to hide the exercise
“Upon execution, the malware downloads and runs TruffleHog to scan the native machine, stealing delicate data reminiscent of NPM Tokens, AWS/GCP/Azure credentials, and setting variables,” Helixuard famous.
Wiz mentioned it noticed over 25,000 affected repositories throughout about 350 distinctive customers, with 1,000 new repositories being added persistently each half-hour within the final couple of hours.
“This marketing campaign continues the development of npm supply-chain compromises referencing Shai-Hulud naming and tradecraft, although it could contain totally different actors,” Wiz mentioned. “The menace leverages compromised maintainer accounts to publish trojanized variations of authentic npm packages that execute credential theft and exfiltration code throughout set up.”
Koi Safety referred to as the second wave much more aggressive, including that the malware makes an attempt to destroy the sufferer’s complete house listing if it fails to authenticate or set up persistence. This consists of each writable file owned by the present consumer beneath their house folder. Nonetheless, this wiper-like performance is triggered solely when the next situations are happy –
- It can’t authenticate to GitHub
- It can’t create a GitHub repository
- It can’t fetch a GitHub token
- It can’t discover an npm token
“In different phrases, if Sha1-Hulud is unable to steal credentials, receive tokens, or safe any exfiltration channel, it defaults to catastrophic knowledge destruction,” security researchers Yuval Ronen and Idan Dardikman mentioned. “This marks a big escalation from the primary wave, shifting the actor’s ways from purely data-theft to punitive sabotage.”
The malware has additionally been discovered to acquire root privileges by executing a Docker command that mounts the host’s root filesystem right into a privileged container with the objective of copying a malicious sudoers file, granting the attacker passwordless root entry to the compromised consumer.
To mitigate the danger posed by the menace, organizations are being urged to scan all endpoints for the presence of impacted packages, take away compromised variations with speedy impact, rotate all credentials, and audit repositories for persistence mechanisms by reviewing .github/workflows/ for suspicious recordsdata reminiscent of shai-hulud-workflow.yml or sudden branches.
(It is a growing story and will probably be up to date as new particulars emerge.)
