BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Second Wave of Sha1-Hulud Attack Hits Hundreds of NPM Packages

Sha1-Hulud Supply Chain Attack Compromises Hundreds of npm Packages, Steals Credentials, and Destroys Data if Exfiltration Fails

  • A new wave of supply chain attacks named Sha1-Hulud has compromised hundreds of npm packages between November 21 and 23, 2025.
  • The attack executes malicious code during the preinstall phase, targeting build and runtime environments.
  • The Malware steals credentials by scanning local machines and exfiltrates secrets from GitHub repositories.
  • In case of failure to steal credentials or establish control, the malware destroys user data, marking a significant escalation.
  • Over 25,000 repositories have been affected, prompting urgent recommendations to remove compromised packages and audit repositories for malicious workflows.

New reports have surfaced about a renewed supply chain attack campaign called Sha1-Hulud, which has infiltrated hundreds of npm packages over several days in late November 2025. The compromised packages were uploaded to the npm registry from November 21 to 23, according to detailed analyses by security firms including Aikido, HelixGuard, and others.

- Advertisement -

This campaign introduces a malicious variant that runs code in the preinstall stage of npm package deployment. Researchers from Wiz noted the expanded risk to build and runtime environments. The attack includes adding a preinstall script titled “setup_bun.js” to the package.json file, which stealthily installs or finds the Bun runtime environment and executes a malicious script called “bun_environment.js.”

The payload initiates two key workflows. First, it registers the infected computer as a self-hosted runner named “SHA1HULUD” and installs a GitHub Actions workflow (.github/workflows/discussion.yaml) containing an injection flaw. This workflow runs only on self-hosted runners and allows attackers to execute arbitrary commands by opening discussions in the GitHub repo. Second, it exfiltrates secrets stored in GitHub’s secrets section by uploading them as artifacts before deleting the workflow to hide evidence.

According to HelixGuard, the malware also runs the credential scanner TruffleHog. This tool searches local systems for sensitive data such as npm tokens, cloud credentials (AWS, GCP, Azure), and environment variables, which are then sent to the attackers.

Over 25,000 repositories linked to approximately 350 unique users have been affected, with new infections increasing steadily—about 1,000 additional repositories every 30 minutes, reported Wiz. The campaign continues the style of the earlier Shai-Hulud breach from September 2025 but may involve different threat actors.

- Advertisement -

A notable escalation described by Koi Security involves a destructive “wiper” function. If the malware fails to authenticate with GitHub, create repositories, retrieve tokens, or locate npm tokens, it erases all writable files in the user’s home directory. Security researchers Yuval Ronen and Idan Dardikman said, “If Sha1-Hulud is unable to steal credentials, obtain tokens, or secure any exfiltration channel, it defaults to catastrophic data destruction.”

Organizations are advised to scan endpoints for compromised npm packages, remove affected versions immediately, rotate all credentials, and closely audit repositories for suspicious workflows or branches under the .github/workflows/ directory, looking for files like shai-hulud-workflow.yml.

(This situation remains under investigation and details will be updated as they become available.)

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

OpenAI Questions Merit of Apple’s Trade Secrets Suit

Apple accused OpenAI of targeting current and former employees to obtain confidential documents, designs,...

Senate to vote on crypto bill amid ethics corruption debate

The US Senate is expected to vote before August 10 on the CLARITY Act,...

IBM shares plummet 25% after earnings miss, worst drop in decades

IBM shares plunged up to 25% on Tuesday after missing Q2 earnings expectations, marking...

DeepMind CEO: AGI just years away, demands new US safety tests

Google DeepMind CEO Demis Hassabis predicts AGI will arrive within a few years, comparing...

Warsh: No Stablecoin Bailout, GENIUS Act Deadline Near

Federal Reserve Chair Kevin Warsh told lawmakers the central bank will not bail out...

Must Read

10 Best Crypto to Mine Without Special Hardware Equipment

A lot of people mostly think that it takes a difficult process to mine cryptocurrency. today we are going to show you some of...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading