Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft
Summary:
On November 24, 2025, a second wave of the Shai-Hulud npm supply-chain campaign, branded by the attacker as “Sha1-Hulud: The Second Coming”, began pushing malicious updates to hundreds of npm packages. This wave lands just weeks before npm’s December 9 revocation of classic tokens, suggesting the actor is trying to exploit lingering weak authentication and un-migrated projects.
Shai-Hulud is a self-replicating npm worm that targets developer and CI/CD environments. Once installed, it runs malicious code during the preinstall phase, giving it early access to machines and pipelines. It uses TruffleHog to hunt for secrets and publishes them to randomly named public GitHub repositories whose description reads “Sha1-Hulud: The Second Coming.” It then attempts to push new, infected package versions, helping it spread through the ecosystem. This “Second Coming” differs significantly from the first wave:
Security Officer Comments:
Researchers have also observed attacker mistakes and “community spread” packages that include setup_bun.js but lack bun_environment.js, meaning some infections are only partial staging. Even so, roughly 26k+ GitHub repositories have been exposed so far, and GitHub is actively removing attacker-created repos while the actor continues creating new ones. From a risk perspective, the real concern isn’t just the immediate theft of secrets; it’s the secondary compromise enabled by those secrets: unauthorized access to GitHub, npm, and cloud accounts, silent backdooring of more packages, and long-lived footholds in CI/CD and cloud environments.
Suggested Corrections:
Remove and replace compromised packages
Rotate all credentials
Audit GitHub and CI/CD environments
Harden pipelines
Link(s):
https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html
On November 24, 2025, a second wave of the Shai-Hulud npm supply-chain campaign, branded by the attacker as “Sha1-Hulud: The Second Coming”, began pushing malicious updates to hundreds of npm packages. This wave lands just weeks before npm’s December 9 revocation of classic tokens, suggesting the actor is trying to exploit lingering weak authentication and un-migrated projects.
Shai-Hulud is a self-replicating npm worm that targets developer and CI/CD environments. Once installed, it runs malicious code during the preinstall phase, giving it early access to machines and pipelines. It uses TruffleHog to hunt for secrets and publishes them to randomly named public GitHub repositories whose description reads “Sha1-Hulud: The Second Coming.” It then attempts to push new, infected package versions, helping it spread through the ecosystem. This “Second Coming” differs significantly from the first wave:
- It installs and uses Bun via setup_bun.js, then executes the main payload in bun_environment.js.
- It now randomizes GitHub repo names instead of using hardcoded ones.
- It can infect up to 100 npm packages per maintainer (versus 20 in the first wave).
- If it can’t authenticate with GitHub or npm, it wipes all files in the user’s home directory as a fallback.
Security Officer Comments:
Researchers have also observed attacker mistakes and “community spread” packages that include setup_bun.js but lack bun_environment.js, meaning some infections are only partial staging. Even so, roughly 26k+ GitHub repositories have been exposed so far, and GitHub is actively removing attacker-created repos while the actor continues creating new ones. From a risk perspective, the real concern isn’t just the immediate theft of secrets; it’s the secondary compromise enabled by those secrets: unauthorized access to GitHub, npm, and cloud accounts, silent backdooring of more packages, and long-lived footholds in CI/CD and cloud environments.
Suggested Corrections:
Remove and replace compromised packages
- Clear npm cache
- Pin dependencies to known clean versions or roll back to pre-November 21, 2025 builds.
Rotate all credentials
- Revoke and regenerate npm tokens, GitHub PATs, SSH keys, and cloud provider credentials.
- Enforce phishing-resistant MFA for developer and CI/CD accounts.
Audit GitHub and CI/CD environments
- Search for newly created repositories with "Shai-Hulud" in the description.
- Review for unauthorized workflows or suspicious commits referencing hulud.
- Monitor for new npm publishes under your organization.
Harden pipelines
- Restrict or disable lifecycle scripts (postinstall, preinstall) in CI/CD.
- Limit outbound network access from build systems to trusted domains only.
- Use short-lived, scoped automation tokens.
Link(s):
https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html