US EditionWormable npm attack returns as 25,000 repos spill secrets
The Shai-Hulud malware campaign has trojanized over 27,000 npm packages, exposing more than 25,000 GitHub repositories with stolen developer and CI/CD secrets, researchers said.
- On November 23, Wiz researchers reported the Shai-Hulud malware had trojanized npm packages, with more than 25,000 repositories publishing secrets within three days and the campaign expanding beyond 27,000 packages.
- Threat actors leveraged compromised maintainer accounts to publish modified legitimate packages by injecting malicious scripts into the package.json file, tracing back to the initial September variant of Shai-Hulud.
- Technical analysis shows payloads include setup_bun.js and a 10MB bun_environment.js that execute during the pre-install stage, creating cloud.json and truffleSecrets.json before exfiltrating AWS, GCP, Azure, and GitHub credentials.
- At publishing time, GitHub returned 27,600 search results and is deleting attacker repositories, but Wiz researchers noted 1,000 new repositories every 30 minutes complicate cleanup.
- Npm announced it will revoke classic tokens on December 9, while GitHub is deprecating legacy tokens and security teams recommend rotating credentials, clearing npm cache, downgrading dependencies, and disabling postinstall scripts.
15 Articles
15 Articles
Sha1-Hulud 2.0: npm Supply-Chain Attack FAQ
Sha1-Hulud malware is an aggressive npm supply-chain attack compromising CI/CD and developer environments. This blog addresses frequently asked questions and advises cloud security teams to immediately audit for at least 800 compromised packages.A massive resurgence of the Sha1-Hulud malware family, self-titled by the attackers as "The Second Coming," was observed around Nov. 24 targeting the npm ecosystem. Attackers compromised at least 800 hig…
Docker's swift action against Shai Hulud 2.0 vulnerability
On November 21, 2025, a significant and aggressive breach in the software development landscape was uncovered by security researchers. This incident, known as the Shai Hulud 2.0 campaign, stands out as one of the most formidable npm supply chain attacks to date. Within a mere 72 hours, this attack compromised over 25,000 GitHub repositories. The […]
New Shai-Hulud Attack Hits Nearly 500 Npm Packages
A new Shai-Hulud supply chain attack has hit nearly 500 npm packages with a total of 132 million monthly downloads. The latest campaign follows one in September that infected nearly 200 npm packages with more than 2 billion weekly downloads. The new campaign targeting the packages used to run JavaScript outside of a browser was reported by Aikido and other security firms. Aikido noted that a total of 492 packages have been affected by the self-r…
The Second Wave of Shai Hulud: npm Packages of Major Projects Compromised
The Second Wave of Shai Hulud: npm packages of major projects compromised, including Zapier, ENS, AsyncAPI, PostHog, and Postman. The campaign follows a clear timeline: the first write-up appears on August 27, the "first wave" starts on September 16, an in-depth analysis is published on September
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
