Multiple security companies have warned of a second wave of attacks affecting the npm registry, reminiscent of the Shai-Hulud attack of September 2025. This new campaign, called Sha1-Hulud, has compromised hundreds of npm packages between November 21 and 23, 2025.
According to Wiz researchers, the new variant of the attack executes malicious code during the preinstall phase, significantly increasing exposure in build and runtime environments.
The Evolution of the Sha1-Hulud Attack
The Sha1-Hulud attack shares similarities with the previous wave, which also posted stolen secrets on GitHub under the description “Sha1-Hulud: The Second Coming.” The previous wave was characterized by compromising legitimate packages to search for secrets on developer machines using the TruffleHog credential scanner and propagate in a self-replicating manner.
In the current wave, attackers have modified the package.json file of compromised packages to add a preinstall script (setup_bun.js). This script is configured to install or stealthily locate the Bun runtime and execute a packaged malicious script (bun_environment.js).
##Malicious Payload Functionality
The Sha1-Hulud malicious payload executes a sequence of actions through two main workflows:
1. Credential Theft
The malware downloads and runs TruffleHog to scan the local machine and steal sensitive information. The main objectives include:
- NPM tokens.
- AWS, GCP and Azure credentials.
- Environment variables.
2. Persistence and Sabotage on GitHub
The attack establishes a persistence and exfiltration mechanism for secrets through GitHub:
- Runner Registration: Registers the infected machine as a self-hosted runner (“SHA1HULUD”) in the GitHub repository.
- Secret Exfiltration: Exfiltrates all secrets defined in the GitHub secrets section and uploads them as an artifact (
actionsSecrets.json) to a repository controlled by the attacker. The workflow is subsequently deleted to hide the activity. - Remote Control: Adds a workflow (
.github/workflows/discussion.yaml) with an injection vulnerability that runs specifically on self-hosted runners. This allows the attacker to execute arbitrary commands on the infected machines by simply opening discussions in the GitHub repository.
Scale of Attack and Escalation to Punitive Sabotage
The Sha1-Hulud campaign has shown rapid spread. Wiz has detected over 25,000 affected repositories across approximately 350 unique users, with 1,000 new repositories being added consistently every 30 minutes.
The second wave of attacks has introduced an aggressive new “punitive sabotage” functionality reported by Koi Security. If the malware fails at credential exfiltration or persistence (for example, it cannot authenticate to GitHub, create a repository, or find tokens), it triggers a wiper functionality that destroys the user’s entire home directory. This tactic marks a significant escalation, going from pure data theft to catastrophic sabotage if the theft is unsuccessful.
Additionally, the malware seeks to escalate privileges by executing a Docker command. This command mounts the host’s root filesystem into a privileged container to copy a malicious sudoers file, granting the attacker passwordless root access.
Mitigation Recommendations
Faced with the threat of Sha1-Hulud, organizations must take immediate steps to protect their development environments:
- Endpoint Scanning: Scan all endpoints for the presence of impacted packets.
- Removal of Compromised Versions: Immediately remove any compromised versions of packages.
- Credential Rotation: Rotate all credentials and access tokens (NPM, AWS, Azure, GCP) that may have been exposed.
- Repository Audit: Review repositories for persistence mechanisms. This includes inspecting the
.github/workflows/folder for suspicious files likeshai-hulud-workflow.ymlor unexpected branches.
References
- Scan tool: TruffleHog (used by malware to steal credentials).
- Malicious persistence workflow:
.github/workflows/discussion.yaml.