Sha1-Hulud: Second Wave of npm Supply Chain Attacks Reveals Sabotage Tactics
Multiple security companies have warned of a second wave of attacks affecting the npm registry, reminiscent of the Shai-Hulud attack of September 2025. This new campaign, called Sha1-Hulud, has compromised hundreds of npm packages between November 21 and 23, 2025. According to Wiz researchers, the new variant of the attack executes malicious code during the preinstall phase, significantly increasing exposure in build and runtime environments. The Evolution of the Sha1-Hulud Attack The Sha1-Hulud attack shares similarities with the previous wave, which also posted stolen secrets on GitHub under the description “Sha1-Hulud: The Second Coming.” The previous wave was characterized by compromising legitimate packages to search for secrets on developer machines using the TruffleHog credential scanner and propagate in a self-replicating manner. ...