Many security vendors are sounding the alarm about a second wave of attacks targeting the NPM registry, reminiscent of the Shai-Hulud attack.
The new supply chain campaign, dubbed sha1-huludAikido, HelixGuard, Koi Security, Socket.com, and Viz have reportedly compromised hundreds of npm packages.
“The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing the potential exposure in the build and runtime environments,” said Viz researchers Hila Ramati, Merav Bar, Gail Benmocha and Gilly Tikochinsky.
Like the Shai-Hulud attack that unfolded in September 2025, the latest activity also publishes stolen secrets on GitHub, this time with the repository description: “Sha1-Hulud: The Second Coming.”
The previous wave was characterized by the compromise of legitimate packages using Trufflehog’s credential scanner to search developer machines for secrets and push malicious code designed to transmit them to an external server under the attacker’s control.
The infected variant came with the ability to propagate in a self-replicating manner by re-publishing itself in other npm packages owned by the compromised maintainer.
In the latest set of attacks, attackers have been found adding a preinstall script (“setup_bun.js”) to the package.json file, which is configured to covertly install or locate the Bun runtime and run a bundled malicious script (“bun_environment.js”).
The malicious payload executes the following sequence of actions through two different workflows −
Registers the infected machine as a self-hosted runner named “SHA1HULUD” and adds a workflow named .github/workflows/discussion.yaml that contains an injection vulnerability and runs exclusively on the self-hosted runner, allowing the attacker to run arbitrary commands on infected machines by opening discussions in the GitHub repository.
GitHub extracts the secrets defined in the Secrets section and uploads them as an artifact, after which it is downloaded, followed by a deletion workflow to hide the activity.
“After execution, the malware downloads and runs Trufflehog to scan the local machine, stealing sensitive information such as NPM tokens, AWS/GCP/Azure credentials, and environment variables,” Helixurd said.
Viz said it has seen more than 25,000 affected repositories across approximately 350 unique users, with 1,000 new repositories being added continuously every 30 minutes over the past few hours.
“This campaign continues the trend of NPM supply-chain agreements referencing Shai-Hulud nomenclature and tradecraft, although different actors may be involved,” Wiese said. “This threat leverages compromised maintainer accounts to publish trojanized versions of legitimate NPM packages that execute credential theft and exfiltration code during installation.”
Koi Security described the second wave as much more aggressive, saying that the malware attempts to destroy the victim’s entire home directory if it fails to authenticate or establish persistence. This includes every writable file owned by the current user under their home folder. However, this wiper-like functionality is activated only when the following conditions are met –
- It can’t authenticate to GitHub
- Can’t create this GitHub repository
- Can’t get this GitHub token
- Can’t get npm token
Security researchers Yuval Ronen and Idan Dardikman said, “In other words, if Sha1-Hulud is unable to steal credentials, obtain tokens, or secure an intrusion channel, it defaults to catastrophic data destruction.” “This represents a significant escalation from the first wave, which shifted the actor’s strategy from purely data-theft to punitive subversion.”
To mitigate the risk posed by the threat, organizations are being urged to audit repositories for persistence mechanisms by scanning all endpoints for the presence of affected packages, removing compromised versions with immediate effect, rotating all credentials, and reviewing .github/workflows/ for suspicious files like shai-hulud-workflow.yml or unexpected branches.
(This is a developing story and will be updated as new details emerge.)
