Full Report
Hackers aren’t kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and “trusted” partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone, one bug in a common tool, and suddenly your mail, chats, repos, and
Analysis Summary
# Incident Report: Shai-Hulud 2.0 npm Supply Chain Worm Attack
## Executive Summary
A self-replicating malware worm, dubbed "Sha1-Hulud: The Second Coming," resurfaced and targeted the npm registry, affecting over 800 packages and 27,000 GitHub repositories. The attackers leveraged supply chain compromise to steal sensitive credentials, including API keys and authentication tokens, by injecting malicious payloads into package installation routines and subverting GitHub Actions workflows. The swift action by security researchers provided visibility into the extent of the compromise, mitigating further unauthorized access.
## Incident Details
- Discovery Date: Near November 27, 2025 (Based on timing of valid secrets discovery)
- Incident Date: Active during the reporting period prior to late November 2025
- Affected Organization: Various organizations leveraging compromised npm packages (e.g., Trigger.dev confirmed impact)
- Sector: Technology, Software Development, Cloud Services
- Geography: Likely global, impacting open-source ecosystems (npm)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing, time not specified, linked to package installation.
- Vector: Compromised npm package installation (Supply Chain).
- Details: Attackers republished backdoored versions of over 800 npm packages. The malware executed upon package installation.
### Lateral Movement
- Date/Time: Post-installation execution.
- Vector: Exploitation of development environments and CI/CD systems.
- Details: The malware created and utilized GitHub Actions workflows for Command and Control (C2) and to steal repository secrets. It also backdoored *all* packages subsequently maintained by compromised developers.
### Data Exfiltration/Impact
- Date/Time: Post-execution/Initial Access phase.
- Vector: Credential Harvesting.
- Details: Stole API keys, cloud credentials (AWS IAM), npm and GitHub authentication information, Slack tokens, and keys for other services (OpenAI, Claude, GitLab). 294,842 total secret occurrences found, with 3,760 being valid secrets as of November 27, 2025.
### Detection & Response
- Discovery Date: Unknown, but visibility was provided by security researchers (Endor Labs, Trend Micro, Palo Alto Unit 42, GitGuardian) reporting on the active campaign.
- Response Actions: Research and analysis were published detailing the new evasion techniques (using the Bun runtime). One affected entity, Trigger.dev, confirmed credential theft and unauthorized GitHub access. (Specific organizational response actions are not detailed in the provided text).
## Attack Methodology
- Initial Access: Supply chain compromise via malicious npm package uploads/republishing.
- Persistence: Backdooring all subsequent packages maintained by the compromised developer accounts. Creation of malicious GitHub Actions workflows.
- Privilege Escalation: Not explicitly detailed, but access to secrets/keys likely facilitated elevated access within cloud environments or GitHub organizations.
- Defense Evasion: Dynamically installing and utilizing the **Bun runtime** instead of traditional Node.js to execute large payloads with improved stealth, evading defenses tuned for Node.js behavior.
- Credential Access: Scanning the compromised environment for secrets contained within repositories/workflows.
- Discovery: Likely targeted repositories belonging to developers who installed the worm.
- Lateral Movement: Using stolen internal GitHub/Cloud credentials to expand access or maintain C2 via Actions.
- Collection: Harvesting secrets stored locally or within configuration files accessible to the executed package scripts.
- Exfiltration: C2 communication established via malicious GitHub Actions workflows.
- Impact: Theft of sensitive authentication secrets and compromise of developer ecosystems.
## Impact Assessment
- Financial: Not explicitly quantified, but significant costs likely associated with forensic investigation and credential rotation for affected organizations.
- Data Breach: Theft of sensitive authentication tokens and API keys (GitHub, AWS IAM, Slack, OpenAI, Claude, GitLab). Over 33,000 unique secrets exposed in total scans.
- Operational: Disruption to development workflows and potential compromise of CI/CD pipelines for affected organizations (e.g., Trigger.dev confirmed unauthorized GitHub access).
- Reputational: Negative impact on the trust associated with the npm ecosystem.
## Indicators of Compromise
- Network Indicators: (Not provided, likely command and control traffic during C2 operations via GitHub Actions).
- File Indicators: Installation and execution of malicious payloads driven by compromised **npm packages**.
- Behavioral Indicators: Dynamic execution of code using the **Bun runtime** environment during package installation; creation of new, unauthorized **GitHub Actions workflows**.
## Response Actions
- Containment measures: (Not detailed, assumed rapid invalidation/revocation of exposed secrets found by researchers).
- Eradication steps: (Not detailed, likely involved removing malicious packages from dependency trees).
- Recovery actions: Trigger.dev postmortem suggests a recovery process following credential theft and unauthorized access confirmation.
## Lessons Learned
- Dependency monitoring is insufficient; malware is evolving to target new runtimes (Bun) for better evasion.
- Supply chain compromise remains a primary risk, capable of affecting multiple organizations globally via third-party packages.
- Secrets stored in code repositories and CI/CD configurations are high-value targets, even if the initial attack vector is a simple package download.
## Recommendations
- Implement stronger secrets scanning across all development pipelines and environments before deployment or commit.
- Mandate isolation or strictly limit the permissions of code execution environments, especially during package installation phases.
- Enhance monitoring for anomalous runtime behavior, specifically looking for the dynamic introduction and usage of non-standard execution environments like the Bun runtime in package processing stages.
- Adopt robust third-party software scanning tools capable of detecting malicious behavior within package installation scripts.