Full Report
Sha1-Hulud malware is an aggressive npm supply-chain attack compromising CI/CD and developer environments. This blog addresses frequently asked questions and advises cloud security teams to immediately audit for at least 800 compromised packages.A massive resurgence of the Sha1-Hulud malware family, self-titled by the attackers as "The Second Coming," was observed around Nov. 24 targeting the npm ecosystem. Attackers compromised at least 800 high-profile publisher accounts to upload trojanized versions of legitimate packages. Unlike previous iterations, these versions have new payloads and execute using install lifecycle scripts to compromise developer environments and CI/CD pipelines at scale. This time, the malware is significantly more aggressive than the previous campaign, including attempts to destroy the victim’s home directory and, in some cases, even delete all writable files owned by the user.Frequently asked questions about Sha1-Hulud: The Second ComingWhat is the initial vector of this new campaign?The attack chain begins when a developer installs a compromised package containing a modified manifest file. The adversary injects a preinstall lifecycle script into package.json that immediately triggers a file named setup_bun.js upon installation.Unlike typical supply chain attacks that execute malicious logic directly through the Node.js process, this script automatically downloads and installs the Bun runtime, a separate JavaScript environment. Once installed, the malware uses the Bun binary to execute a bundled payload, often named bun_environment.js. This "bring your own runtime" technique effectively allows the malicious code to operate outside the visibility of standard Node.js security tools and static analysis scanners that monitor the primary build process.What is the impact of this campaign?The blast radius of this campaign is extensive. Tens of thousands of GitHub repositories are reportedly affected. It extends to high-profile integrations, including ones from Zapier, ENS Domains, and Postman. By hijacking trusted publisher accounts rather than using typosquatting, the attackers successfully poisoned the supply chain at a fundamental level. This forced malicious code into thousands of corporate environments simply through routine dependency updates.What are the immediate steps cloud security teams can take to address this issue?Audit your environment: Use a security scanner to check if you have malicious versions of the affected packages (see list below).Remove them by upgrading to a later version.Which Tenable products can be used to address these malicious packages?Tenable automatically and proactively detects malicious packages associated with Shai-Hulud campaigns across both on-premises and cloud environments.This isn't a one-time check. Tenable Nessus and Tenable Cloud Security, our cloud-native application protection platform (CNAPP), continuously monitor for new indicators of compromise (IOCs) and track research associated with this evolving campaign. As Shai-Hulud adapts its tactics, our threat intelligence and risk analysis capabilities update in real-time, ensuring your defense remains current and effective.Plugin ID 265897 can be used to identify compromised packages affected in the Sha1-Hulud campaigns.Tenable Cloud Security classifies affected packages as malicious; detected packages will appear in your Tenable Console environment the next time data is synced.An appendix with a full listing of affected packages is available here.
Analysis Summary
# Incident Report: Sha1-Hulud Malware Resurgence ("The Second Coming")
## Executive Summary
A massive resurgence of the aggressively evolved Sha1-Hulud malware family, dubbed "The Second Coming," targeted the npm supply chain around November 24. Attackers compromised over 800 high-profile publisher accounts to inject trojanized dependencies. This campaign leverages a "bring your own runtime" technique using the Bun runtime to bypass traditional Node.js security monitoring, leading to the compromise of tens of thousands of GitHub repositories and critical environments, including CI/CD pipelines.
## Incident Details
- **Discovery Date:** Approximately November 24 (Date of the observed resurgence).
- **Incident Date:** Occurred around Nov. 24.
- **Affected Organization:** Multiple organizations relying on the npm ecosystem (e.g., Zapier, ENS Domains, Postman integrations).
- **Sector:** Technology, Software Development.
- **Geography:** Global (npm ecosystem).
## Timeline of Events
### Initial Access
- **Date/Time:** Around November 24.
- **Vector:** Compromised npm package installation.
- **Details:** Attackers hijacked at least 800 high-profile publisher accounts to upload trojanized versions of legitimate packages. The attack chain begins when a developer installs a compromised package.
### Lateral Movement
- **Date/Time:** Post-installation execution.
- **Vector:** Lifecycle script execution and internal environment compromise.
- **Details:** The malicious package manipulates the `package.json` manifest to inject a `preinstall` lifecycle script. This script executes `setup_bun.js`, which automatically downloads and installs the Bun JavaScript runtime. The malware then uses the Bun binary to execute a bundled payload, compromising developer environments and CI/CD pipelines.
### Data Exfiltration/Impact
- **Date/Time:** During payload execution.
- **Details:** The malware's payload is highly aggressive, including attempts to destroy the victim’s home directory and delete all writable files owned by the user.
### Detection & Response
- **Date/Time:** Post-discovery by security researchers/vendors.
- **Details:** Immediate advice was issued for cloud security teams to audit their environments. Tenable products (Nessus and Tenable Cloud Security) proactively detect these malicious packages.
- **Response actions taken:** Recommended action is to use a security scanner (like Tenable, referencing Plugin ID 265897) to audit for affected packages and remove them by upgrading to a later, clean version.
## Attack Methodology
- **Initial Access:** Installation of a compromised npm package containing a modified manifest file (`package.json`) with a malicious `preinstall` lifecycle script.
- **Persistence:** Maintaining access by embedding execution logic within a routine dependency installation process. The use of Bun potentially offers a form of persistence or at least execution capability outside monitored Node.js processes.
- **Privilege Escalation:** Not explicitly detailed, but compromising CI/CD environments suggests execution with high privileges relevant to the build process.
- **Defense Evasion:** Utilizing the Bun runtime binary to execute payloads (`bun_environment.js`). This "bring your own runtime" technique allows the malicious code to operate outside the visibility of standard **Node.js security tools and static analysis scanners**.
- **Credential Access:** Not specified, but typical for CI/CD compromise.
- **Discovery:** Implied, as the payload targets developer environments and pipelines.
- **Lateral Movement:** Via initial infection vector spreading to connected codebases/repositories (tens of thousands affected).
- **Collection:** Not specified beyond the destructive nature of the payload.
- **Exfiltration:** Not specified.
- **Impact:** Destructive payload execution, attempting to wipe user data (home directory, all writable user files).
## Impact Assessment
- **Financial:** Not specified, but implied substantial costs related to remediation, downtime, and potential loss of proprietary code/resources.
- **Data Breach:** Data destruction/integrity loss is the primary impact noted, alongside potential exposure of secrets within compromised CI/CD environments.
- **Operational:** Severe disruption due to the compromise of developer environments and CI/CD pipelines, forcing dependency updates to cease or become highly scrutinized. Tens of thousands of GitHub repositories reported affected.
- **Reputational:** High impact due to the involvement of high-profile integrated services (Zapier, ENS Domains, Postman).
## Indicators of Compromise
- **Network indicators:** Not provided/defanged in the source material.
- **File indicators:** Malicious packages containing a modified manifest file adding a `preinstall` lifecycle script referencing `setup_bun.js`. Executable payload often named `bun_environment.js`.
- **Behavioral indicators:** Automatic download and installation of the **Bun runtime** during package installation. Execution of code via the Bun binary rather than the primary Node.js process.
## Response Actions
- **Containment measures:** Immediate auditing of dependency trees for compromised packages.
- **Eradication steps:** Removing compromised packages by immediately upgrading dependencies to later, clean versions.
- **Recovery actions:** Re-securing affected CI/CD pipelines and developer workstations after verification of clean dependencies. Continuing to monitor using security platforms like Tenable.
## Lessons Learned
- **Supply Chain Trust is Fragile:** Hijacking trusted publisher accounts is highly effective for poisoning the supply chain at a fundamental level, bypassing common static defenses.
- **Execution Environment Diversity:** Attackers are moving beyond standard execution environments (e.g., Node.js) to leverage secondary, less-monitored runtimes (Bun) for defense evasion.
- **Lifecycle Scripting Risk:** Malicious use of `preinstall` lifecycle scripts remains a potent vector for initial compromise post-installation.
## Recommendations
- **Immediate Audit:** Cloud security teams must immediately audit environments for at least 800 known compromised npm packages across all dependencies.
- **Continuous Monitoring:** Implement continuous monitoring tools (like Tenable CNAPP) specialized in tracking software composition and supply chain risks, updated in real-time against evolving IOCs.
- **Runtime Segmentation:** Where possible, restrict or heavily scrutinize the ability of build environments (CI/CD) to provision or execute unknown runtimes outside of designated, secure processes.
- **Review Lifecycle Scripts:** Implement pre-installation checks or scans specifically targeting suspicious or unknown lifecycle scripts within package manifests.