- A new wave of supply chain attacks named Sha1-Hulud has compromised hundreds of npm packages between November 21 and 23, 2025.
- The attack executes malicious code during the preinstall phase, targeting build and runtime environments.
- The Malware steals credentials by scanning local machines and exfiltrates secrets from GitHub repositories.
- In case of failure to steal credentials or establish control, the malware destroys user data, marking a significant escalation.
- Over 25,000 repositories have been affected, prompting urgent recommendations to remove compromised packages and audit repositories for malicious workflows.
New reports have surfaced about a renewed supply chain attack campaign called Sha1-Hulud, which has infiltrated hundreds of npm packages over several days in late November 2025. The compromised packages were uploaded to the npm registry from November 21 to 23, according to detailed analyses by security firms including Aikido, HelixGuard, and others.
This campaign introduces a malicious variant that runs code in the preinstall stage of npm package deployment. Researchers from Wiz noted the expanded risk to build and runtime environments. The attack includes adding a preinstall script titled “setup_bun.js” to the package.json file, which stealthily installs or finds the Bun runtime environment and executes a malicious script called “bun_environment.js.”
The payload initiates two key workflows. First, it registers the infected computer as a self-hosted runner named “SHA1HULUD” and installs a GitHub Actions workflow (.github/workflows/discussion.yaml) containing an injection flaw. This workflow runs only on self-hosted runners and allows attackers to execute arbitrary commands by opening discussions in the GitHub repo. Second, it exfiltrates secrets stored in GitHub’s secrets section by uploading them as artifacts before deleting the workflow to hide evidence.
According to HelixGuard, the malware also runs the credential scanner TruffleHog. This tool searches local systems for sensitive data such as npm tokens, cloud credentials (AWS, GCP, Azure), and environment variables, which are then sent to the attackers.
Over 25,000 repositories linked to approximately 350 unique users have been affected, with new infections increasing steadily—about 1,000 additional repositories every 30 minutes, reported Wiz. The campaign continues the style of the earlier Shai-Hulud breach from September 2025 but may involve different threat actors.
A notable escalation described by Koi Security involves a destructive “wiper” function. If the malware fails to authenticate with GitHub, create repositories, retrieve tokens, or locate npm tokens, it erases all writable files in the user’s home directory. Security researchers Yuval Ronen and Idan Dardikman said, “If Sha1-Hulud is unable to steal credentials, obtain tokens, or secure any exfiltration channel, it defaults to catastrophic data destruction.”
Organizations are advised to scan endpoints for compromised npm packages, remove affected versions immediately, rotate all credentials, and closely audit repositories for suspicious workflows or branches under the .github/workflows/ directory, looking for files like shai-hulud-workflow.yml.
(This situation remains under investigation and details will be updated as they become available.)
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- XRP, DOGE Lead Large-Cap Crypto Rally Ahead of Grayscale ETF Launch
- Cardano Dev Resigns After Hoskinson Backs FBI Probe
- Massive Shai Hulud JavaScript Attack Hits 400+ Packages, Crypto APIs
- China Surpasses Reports, Buys Record Gold to Challenge USD
- Bitcoin Rises to $86.7K Amid Rate Cut Hopes; Grayscale ETFs Approved
