Inside the Second Wave of Shai-Hulud Attacks

Published Date: November 26, 2025
Category: ShadowOpsIntel
Share:

Shai-Hulud 2.0 is a widespread and destructive supply-chain malware campaign that has compromised the JavaScript ecosystem through the npm registry. First detected between November 21–24, 2025, this second wave follows an earlier Shai-Hulud campaign and has rapidly escalated, affecting over 1,000 npm packages, 27,000+ GitHub repositories, and 100+ million downloads across prominent projects like Zapier, Postman, ENS Domains, AsyncAPI, and PostHog.

Severity: High

Threat Details

  • Initial Vector: Trojanized NPM Packages
    • Attackers used compromised developer accounts to publish malicious versions of popular npm packages.
    • Each infected package includes a preinstall script executing setup_bun.js, which:
      • Downloads and installs the Bun runtime.
      • Launches the obfuscated payload in bun_environment.js (~10MB).
  • Malware Capabilities
    The final payload is a multi-stage worm with three primary functions:
    1. Credential Harvesting: It downloads and executes TruffleHog to scan the local machine and steal sensitive data. Stolen information includes NPM Tokens, AWS/GCP/Azure cloud credentials, and environment variables.
    2. Data Exfiltration and Propagation:
      • The worm steals the user’s secrets and uploads them to a public GitHub repository.
      • The malware creates a new GitHub repository with a random name (unlike the previous version which used /shai-hulud) and sets the repository description to “Sha1-Hulud: The Second Coming”.
      • It also deploys a GitHub Action runner named SHA1HULUD.
      • The self-propagating worm repacks itself into up to 100 of the user’s available npm packages, compromising them further (an increase from 20 in the original attack).
    3. File Destruction (Wiper): If the malware fails to authenticate with GitHub or npm, it attempts to wipe files. On Linux/macOS systems, it uses the shred command to overwrite and delete writable user files in the home directory, while on Windows, it deletes all files in %USERPROFILE%.

Recommendations

  1. Immediately revoke and rotate all NPM tokens associated with the compromised developer accounts. This is the primary vector for propagation.
  2. Rotate any exposed AWS, GCP, or Azure cloud keys/secrets that may have been present in the developer’s environment variables or scanned by the malware (using tools like TruffleHog).
  3. Force-rotate all GitHub tokens and personal access tokens (PATs) associated with the compromised users.
  4. Delete any unauthorized GitHub Actions runners deployed by the malware (e.g., runners named SHA1HULUD).
  5. Check your repositories for package versions containing the malicious preinstall: node setup_bun.js script or the bun_environment.js file & revert to a clean, known-good commit.
  6. Configure your environment to block or limit the execution of scripts during package installation. Use the flag –ignore-scripts where possible, or use tools that can sandbox or analyze these scripts before execution.
  7. Use runtime analysis tools that check for known malware signatures or flag suspicious behaviors like installing third-party tools (like TruffleHog) or making network calls to unknown domains.
  8. Mandate MFA for all developer accounts on critical platforms like npm, GitHub, and cloud providers (AWS, GCP, Azure). This makes stolen tokens or passwords useless on their own.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert