Over 700 npm packages compromised as self-replicating malware targets developer credentials across Zapier, PostHog, Postman, and ENS Domains—with a scorched-earth failsafe that wipes victim systems
A devastating second wave of the Shai-Hulud supply chain attack has compromised more than 700 npm packages with a combined 132 million monthly downloads, creating what security researchers are calling one of the most aggressive and far-reaching threats to the JavaScript ecosystem in 2025.
The attack, detected on November 24, has already spawned over 25,000 malicious GitHub repositories across approximately 500 user accounts—and it's accelerating at a rate of 1,000 new repos every 30 minutes.
What makes this iteration particularly alarming is its "scorched earth" contingency: if the malware fails to steal credentials or establish persistence, it attempts to completely destroy the victim's home directory, escalating the attack from espionage to catastrophic data destruction.
The "Second Coming" Strikes Major Development Tools
Security firms including Wiz, Aikido, Snyk, and JFrog simultaneously detected the attack beginning at 3:16 AM GMT on November 24, 2025. The initial breach targeted 36 AsyncAPI packages, followed by rapid compromises of PostHog packages at 4:11 AM and Postman packages at 5:09 AM. Major organizations affected include:
- Zapier - Multiple SDK and integration packages
- ENS Domains - Ethereum name service libraries
- PostHog - Analytics and feature flag packages
- Postman - API development tools
- Browserbase - Browser automation infrastructure
- AsyncAPI - API specification tools
- Voiceflow - Conversational AI platform packages
"The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing potential exposure in build and runtime environments," noted researchers from Wiz. This represents a critical evolution from the September attack, as preinstall execution runs automatically during package installation—before developers can even inspect the code.
The malware creates public GitHub repositories with the description "Sha1-Hulud: The Second Coming," a theatrical reference to the giant sandworms from the science fiction novel Dune. However, unlike the original Shai-Hulud attack that compromised 187 packages in September, this iteration demonstrates substantially more sophisticated capabilities and destructive intent.
How the Attack Works
The second-wave malware operates through two primary payload files—setup_bun.js and bun_environment.js—that execute during npm's preinstall lifecycle phase.
 | |
| A visual summary of the Sha1-Hulud Campaign | Image- Wiz |
Here's the attack sequence:
Initial Infection: When a developer or CI/CD system installs a compromised package, the preinstall script automatically triggers setup_bun.js, which falsely claims to install the Bun JavaScript runtime while actually deploying bun_environment.js, a highly obfuscated 10MB malicious payload.
Credential Harvesting: The malware deploys TruffleHog, a legitimate open-source credential scanner, to systematically search for:
- NPM authentication tokens
- GitHub Personal Access Tokens (PATs)
- AWS, Google Cloud Platform, and Azure credentials
- SSH keys and API tokens
- Environment variables containing secrets
Preliminary analysis of 20,000 compromised repositories has revealed at least 775 GitHub access tokens, 373 AWS credentials, 300 GCP credentials, and 115 Azure credentials exposed through this campaign.
Cross-Victim Exfiltration: In a particularly insidious twist, the malware implements "cross-victim exfiltration," where one victim's stolen secrets are pushed to public repositories owned by a completely different, unrelated victim. This makes detection and cleanup significantly more complex, as organizations may find sensitive data from other companies exposed in their own GitHub accounts.
Persistence Mechanisms: The malware registers infected machines as self-hosted GitHub Actions runners named "SHA1HULUD" and injects a backdoor workflow (discussion.yaml) that exploits an injection vulnerability. This allows attackers to execute arbitrary commands on compromised machines simply by opening discussions in the GitHub repository—even after the initial infection is cleaned up.
Self-Replication: The worm authenticates to npm using stolen tokens, identifies up to 100 packages maintained by the victim (up from 20 in the previous wave), injects the malicious code, bumps version numbers, and publishes the compromised packages back to the registry—all without human intervention.
Privilege Escalation: On Linux systems, the malware attempts to gain root access by executing a Docker command that mounts the host's root filesystem into a privileged container, allowing it to create a malicious sudoers file that grants passwordless root access.
When Theft Fails, Destruction Follows
Perhaps the most concerning evolution in Sha1-Hulud 2.0 is its wiper-like functionality. If the malware cannot authenticate to GitHub, create repositories, fetch tokens, or find npm credentials, it executes a catastrophic data destruction routine that attempts to delete every writable file in the user's home directory.
"In other words, if Sha1-Hulud is unable to steal credentials, obtain tokens, or secure any exfiltration channel, it defaults to catastrophic data destruction," explained security researchers Yuval Ronen and Idan Dardikman from Koi Security. "This marks a significant escalation from the first wave, shifting the actor's tactics from purely data-theft to punitive sabotage."
Justin Moore, senior manager of Threat Intel Research at Palo Alto Networks Unit 42, characterized this as a watershed moment: "The more nefarious threat is the embedded 'scorched earth' contingency payload. If Shai-Hulud 2.0 fails to exfiltrate credentials, it executes a fail-safe that attempts to irrevocably destroy the victim's entire home directory, escalating the attack from simple espionage into a guaranteed, highly disruptive denial-of-service event."
Strategic Attack Before NPM Security Deadline
The attack's timing is notable. NPM recently announced plans to revoke all classic authentication tokens on December 9, 2025, following the September wave of supply chain attacks. With many developers still not migrated to trusted publishing workflows, the attackers apparently seized this window for "one more hit" before the security deadline.
As Cyber Kendra previously reported, the npm ecosystem has faced an unprecedented series of attacks in recent months. In early September 2025, attackers compromised packages with over 2 billion combined weekly downloads, including fundamental libraries like chalk, debug, and ansi-styles, injecting cryptocurrency-stealing malware. The original Shai-Hulud attack followed weeks later, compromising over 700 packages including multiple CrowdStrike tools through credential theft and GitHub repository manipulation.
Widespread Impact and Detection Challenges
The blast radius of Sha1-Hulud 2.0 is massive. Some of the compromised packages are extraordinarily prevalent in production environments:
@postman/tunnel-agent: Found in 27% of cloud and code environmentsposthog-node: Present in 25% of environments@asyncapi/specs: Deployed in 20% of environmentsposthog-js: Used in 15% of environments
This means that even organizations not directly using the affected packages may have them as transitive dependencies (dependencies of dependencies) deep in their dependency trees, making detection significantly more challenging.
"The threat leverages compromised maintainer accounts to publish trojanized versions of legitimate npm packages that execute credential theft and exfiltration code during installation," noted Wiz researchers. The attack also appears to have leveraged GitHub Action vulnerabilities similar to those exploited in the August 2025 Nx compromise, which exposed over 2,000 corporate secrets.
Several researchers observed that some compromised packages contain the staging code (setup_bun.js) but not the actual malware payload (bun_environment.js), suggesting either incomplete propagation or mistakes in the attack automation. However, this provides little comfort as the infection mechanism remains in place.
Industry Response and Remediation
Major affected companies quickly acknowledged the compromises. PostHog, Postman, and AsyncAPI teams detected the malicious versions within hours and worked with npm to remove them from the registry. Many packages have since been reclaimed by their legitimate owners, though the damage from exposed credentials may persist for years.
CISA (Cybersecurity and Infrastructure Security Agency) issued an official alert urging organizations to:
- Conduct immediate dependency audits of all software using npm packages
- Check package-lock.json or yarn.lock files to identify affected packages, including nested dependencies
- Pin npm package versions to known safe releases produced before September 16, 2025
- Rotate all developer credentials immediately, including GitHub PATs, npm tokens, and cloud service keys
- Enable phishing-resistant MFA on all developer accounts
- Block outbound connections to webhook.site domains used for exfiltration
- Audit GitHub repositories for suspicious workflows, especially
discussion.yamlfiles or unexpected self-hosted runners
Security vendors have implemented automated detection. Snyk, Tenable, and other platforms are automatically re-testing customer assets and proactively notifying affected organizations. GitHub is actively removing attacker-created repositories, though new ones continue to appear as the malware propagates.
What Developers and Organizations Must Do Now
Security teams should take immediate action:
Check for Compromise: Search GitHub for repositories with "Sha1-Hulud: The Second Coming" in the description or unexpected repositories created between November 21-24, 2025. Audit GitHub logs for "s1ngularity" or "SHA1HULUD" strings in repository events.
Clean and Rebuild: Clear npm cache with npm cache clean --force, remove node_modules directories, and reinstall dependencies pinned to known-clean versions. Review .github/workflows/ directories for suspicious files like discussion.yaml or formatter_*.yml.
Rotate Everything: Assume all credentials on affected systems are compromised. Revoke and regenerate npm tokens, GitHub PATs, SSH keys, and cloud provider credentials. Security analysis shows that days after previous attacks, 40% of leaked npm tokens and 5% of GitHub tokens remained valid—don't let that happen to your organization.
Harden CI/CD: Restrict or disable lifecycle scripts in CI/CD environments using
npm config set ignore-scripts true. Limit outbound network access from build systems to trusted domains only. Use short-lived, scoped automation tokens instead of long-lived credentials.Implement Defense in Depth: Enable GitHub Secret Scanning alerts, Dependabot security updates, and branch protection rules. Consider using npm package firewall solutions like JFrog Curation to block malicious packages before they enter your supply chain.
The era of blindly trusting package registries has definitively ended. As this attack demonstrates, even well-maintained, popular packages from reputable organizations can be compromised within hours. Organizations must now implement active security monitoring, dependency verification, and assume-breach postures for their development infrastructure.
For the full list of 700+ compromised packages and ongoing updates, security teams should monitor advisories from Socket, Snyk, JFrog, Wiz, and CISA. The situation remains fluid as researchers continue identifying newly compromised packages and tracking the malware's evolution.
The supply chain security community now faces a critical question: How many more iterations of Shai-Hulud await, and what will the "Third Coming" bring?
Organizations affected by this attack or requiring incident response assistance should contact their security vendors immediately. For the complete list of compromised packages, check Heliguard's list or vendor-specific advisories.