Full Report
Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack. The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, according to reports from Aikido, HelixGuard, Koi Security, Socket, and Wiz. "The campaign introduces a new variant that executes malicious
Analysis Summary
# Incident Report: Sha1-Hulud Second Wave npm Supply Chain Compromise
## Executive Summary
A second, more aggressive wave of supply chain attacks, dubbed "Sha1-Hulud," targeted the npm registry, compromising hundreds of packages and affecting over 25,000 repositories. Attackers leveraged compromised maintainer accounts to execute malicious code during the `preinstall` phase, focusing on stealing developer secrets (tokens, cloud credentials). The updated malware also incorporated a destructive wiper capability, triggering mass data deletion under specific exfiltration failure conditions. Response efforts focused on identification, removal of impacted packages, and urging users to scan environments.
## Incident Details
- Discovery Date: November 24, 2025 (Reported)
- Incident Date: Ongoing at time of report (Follow-up to September 2025 incident)
- Affected Organization: Globally, any organization utilizing the compromised npm packages.
- Sector: Technology/Software Development (npm registry users)
- Geography: Global (npm registry supply chain)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing campaign prior to Nov 24, 2025 report.
- Vector: Compromise of legitimate npm package maintainer accounts.
- Details: Attackers published trojanized versions of legitimate npm packages.
### Lateral Movement
- Details: The initial malware payload registered infected machines as self-hosted runners ("SHA1HULUD") on GitHub and created a malicious workflow (`.github/workflows/discussion.yaml`) to enable arbitrary command execution on those runners.
### Data Exfiltration/Impact
- Details: Malware used TruffleHog to scan local machines for sensitive information (NPM Tokens, AWS/GCP/Azure credentials, environment variables). Stolen secrets were exfiltrated by uploading them as artifacts from the GitHub workflow, followed by workflow deletion for concealment. A significant escalation involved a wiper mechanism attempting to destroy the victim's entire home directory if credential theft/exfiltration failed.
### Detection & Response
- Date/Time: Starting Nov 24, 2025 reports.
- Details: Vendors (Aikido, HelixGuard, Koi Security, Socket, Wiz) detected the activity. Response involved identifying impacted packages, notifying users, and urging endpoint scanning.
## Attack Methodology
- Initial Access: Compromised npm maintainer accounts used to publish malicious packages.
- Persistence: Creating self-hosted runners ("SHA1HULUD") and persistent malicious GitHub workflows (`.github/workflows/discussion.yaml`) on infected repositories.
- Privilege Escalation: N/A explicitly stated, inferred through execution within the build/runtime environment.
- Defense Evasion: Deleting the malicious GitHub discussion workflow artifact after exfiltration to conceal activity.
- Credential Access: Execution of embedded scripts (using `setup_bun.js` and `bun_environment.js`) that ran TruffleHog to locate and steal secrets (NPM Tokens, cloud keys, env vars).
- Discovery: Malware scanned the local developer machine using TruffleHog.
- Lateral Movement: Potential self-replicating ability observed in the prior wave (re-publishing packages owned by the compromised maintainer) may apply, though the focus here is on runner registration.
- Collection: Gathering developer secrets via TruffleHog execution.
- Exfiltration: Uploading credentials as artifacts via a compromised GitHub repository workflow.
- Impact: Data theft (credentials) or catastrophic data destruction (wiper functionality).
## Impact Assessment
- Financial: Not explicitly detailed, high potential impact due to cloud credential theft.
- Data Breach: High risk; theft of NPM Tokens, AWS/GCP/Azure credentials, and environment variables. Over 25,000 repositories spanned by the activity.
- Operational: Potential for significant operational disruption if the wiper functionality was triggered globally across development environments. Build and runtime environments were directly exposed during package installation/preinstallation.
- Reputational: Significant reputational damage to the npm ecosystem due to repeated, aggressive supply chain attacks.
## Indicators of Compromise
- File Indicators: `setup_bun.js`, `bun_environment.js` (executed during preinstall/install).
- Behavioral Indicators: Execution of scripts during the `preinstall` phase; attempts to register self-hosted GitHub runners named "SHA1HULUD"; creation of GitHub workflows at `.github/workflows/discussion.yaml`; high volume of artifact uploads post-execution; self-destruction/wiper execution if exfiltration fails.
## Response Actions
- Containment: Organizations urged to scan endpoints for impacted packages and remove compromised versions immediately.
- Eradication steps: Not detailed, but would involve cleaning infected build environments, removing malicious runners, and revoking all potentially exposed secrets/tokens.
- Recovery actions: Not detailed, but standard recovery involves secret rotation and environment hardening.
## Lessons Learned
- The npm supply chain remains a critical vector; reliance on package maintainer accounts poses extreme risk.
- Attackers are rapidly iterating on prior successful methods (Shai-Hulud tradecraft).
- The shift in attack tactics, incorporating a destructive wiper functionality contingent on exfiltration failure, represents a significant escalation from purely data-theft motives to punitive sabotage.
- Execution during the `preinstall` phase maximizes exposure in CI/CD pipelines and developer workstations.
## Recommendations
- Strictly vet all third-party dependency code, especially executing scripts within installation phases (`preinstall`, `install`).
- Implement strict security policies regarding CI/CD runner configuration, particularly preventing unvetted self-hosted runners from obtaining high privileges.
- Rotate all secrets (NPM tokens, cloud keys, environment variables) immediately upon suspicion of compromise.
- Utilize software composition analysis (SCA) tools capable of deep inspection of package behavior, not just dependency metadata.
- Harden developer environments to limit where sensitive configuration files and secrets are stored and how widely writable user directories are.