Shai-Hulud Supply Chain Attack: Self-Replicating Worm Compromises 800+ npm Packages and 26,000 GitHub Repositories

• Scope of Compromise: Over 800 npm packages trojanized with malicious code
• Repository Exposure: More than 26,000 GitHub repositories created containing stolen credentials, with approximately 1,000 new repositories added every 30 minutes during peak activity
• Download Impact: Affected packages account for an estimated 132 million monthly downloads
• Major Victims: Packages from Zapier, ENS Domains, PostHog, Postman, AsyncAPI, and Browserbase have been compromised
• Cloud Presence: Some infected packages are present in approximately 27% of cloud and code environments
• Attack Window: Malicious packages uploaded between November 21-23, 2025

(Sha1-Hulud Supply Chain Attack)

 How the Attack Works

The Shai-Hulud worm employs a sophisticated multi-stage attack chain designed to evade detection and maximize credential theft.

• Preinstall Execution: The malware adds a preinstall script called “setup_bun.js” to the package.json file, which runs automatically before installation completes
• Bun Runtime Bypass: The script installs or locates the Bun runtime environment to execute its payload, operating outside the standard Node.js execution path to evade static analysis tools
• Obfuscation: The core payload – bun_environment.js – weighs 10MB and uses extreme obfuscation including massive hex-encoded string arrays with thousands of entries, anti-analysis loops performing millions of arithmetic operations, and string retrieval through obfuscated functions
• Credential Scanning: The malware downloads and executes TruffleHog to scan the infected machine for API keys, npm tokens, AWS/GCP/Azure credentials, and environment variables
• GitHub Persistence: It registers the infected machine as a self-hosted runner named “SHA1HULUD” and creates malicious workflow files that allow attackers to run arbitrary commands by opening discussions in the GitHub repository
• Self-Replication: Using stolen npm tokens, the worm publishes malicious copies of itself to additional packages owned by the compromised maintainer, spreading the infection exponentially
• Data Exfiltration: Stolen secrets are uploaded to randomly named public GitHub repositories identified by the description “Sha1-Hulud: The Second Coming”

 The Destructive Escalation: Wiper Functionality

Perhaps the most alarming development in this second wave is the addition of destructive capabilities. If the malware cannot successfully steal credentials or establish persistence, it defaults to catastrophic data destruction.

• Trigger Conditions: The wiper activates when the malware cannot authenticate to GitHub, cannot create a repository, cannot fetch a GitHub token, or cannot find an npm token
• Destructive Action: The malware attempts to destroy the victim’s entire home directory by deleting every writable file owned by the current user
• Strategic Purpose: This represents a shift from purely data-theft to punitive sabotage – if the attackers can’t benefit from the compromise, they ensure the victim suffers maximum damage
• Evidence Elimination: The destruction may also serve to eliminate forensic evidence of the compromise

(SHA1-Hulud Workflow – Source: The Hacker News)

 Who Is Behind the Attack?

The identity of the attackers remains unconfirmed. While the campaign references the original Shai-Hulud naming conventions and employs similar techniques, security researchers at Wiz note there are differences that make attribution uncertain. The campaign may involve the same actors from the September 2025 wave or could represent copycat attackers leveraging the established tradecraft.

What’s clear is that the attackers demonstrate sophisticated understanding of software supply chain mechanics and have timed their campaign strategically – just weeks before npm plans to revoke classic tokens on December 9, 2025, as part of enhanced security measures.

 Who Is at Risk?

The Shai-Hulud attack poses significant risks across multiple categories of potential victims.

• Software Developers: Anyone who installed affected packages during the attack window may have had credentials stolen from their development environments
• CI/CD Environments: Build systems and continuous integration pipelines that pulled compromised packages are at particular risk, as these often contain powerful tokens and secrets
• Organizations Using Affected Packages: Companies relying on packages from AsyncAPI, Postman, PostHog, Zapier, or ENS Domains should assume potential exposure
• Cloud Environments: The malware specifically targets AWS, Azure, and Google Cloud Platform credentials, putting cloud infrastructure at risk
• Open-Source Maintainers: Developers who maintain npm packages may have their accounts compromised and used to further propagate the infection
• Downstream Users: Even organizations that didn’t directly install infected packages may be affected through transitive dependencies

 Remediation Steps

Organizations should take immediate action to assess and remediate potential exposure to the Shai-Hulud attack.

• Audit Dependencies: Scan all endpoints and projects for the presence of affected packages, looking for suspicious files like setup_bun.js and bun_environment.js
• Remove Compromised Packages: Immediately remove any trojanized package versions and replace with known-clean versions
• Rotate All Credentials: Assume any credentials accessible from affected systems have been compromised – rotate npm tokens, GitHub tokens, AWS/Azure/GCP credentials, and any API keys
• Review GitHub Workflows: Audit repositories for persistence mechanisms by checking .github/workflows/ for suspicious files such as shai-hulud-workflow.yml or unexpected branches
• Check for Self-Hosted Runners: Look for any unauthorized self-hosted GitHub runners, particularly those named “SHA1HULUD”
• Monitor for Downstream Attacks: Even if credentials have been rotated, monitor for signs of unauthorized access that may have occurred during the exposure window
• Enable npm Security Features: Migrate to trusted publishing and fine-grained access tokens ahead of the December 9 classic token revocation

How CinchOps Can Help

The Shai-Hulud supply chain attack highlights why Houston businesses need comprehensive cybersecurity monitoring that goes beyond traditional endpoint protection. Software supply chain attacks target the very tools developers trust, making them particularly insidious and difficult to detect without specialized expertise.

CinchOps provides managed IT support designed to protect small and medium-sized businesses from sophisticated threats like supply chain attacks:

• Continuous Security Monitoring: Our 24/7 monitoring services detect suspicious activity across your development and production environments before attackers can establish persistence
• Vulnerability Assessment: Regular scanning of your software dependencies and supply chain to identify compromised packages and potential exposure points
• Credential Management: Implementation of secrets management best practices that limit exposure when individual systems are compromised
• Incident Response: Rapid response capabilities to contain and remediate security incidents, minimizing damage from active attacks
• Security Awareness Training: Education for your development teams on supply chain security risks and safe package management practices
• Cloud Security: Protection for AWS, Azure, and GCP environments that are increasingly targeted by sophisticated threat actors
• Network Security: Comprehensive network security solutions that detect anomalous outbound connections associated with data exfiltration

Don’t wait for a supply chain attack to expose your business. Contact CinchOps today for a comprehensive security assessment and protect your Houston business from the evolving threat environment.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Sneaky2FA Phishing Kit Evolves with Browser-in-the-Browser Pop-ups Targeting Houston Businesses
For Additional Information on this topic: ClickFix Gets Creative: Malware Buried in Images

FREE CYBERSECURITY ASSESSMENT