Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub

Du'aine Davis · 2025-11-25T10:43:27+00:00

Observed in the wild * On 24 November, the second wave of the Shai-Hulud supply-chain attack compromised hundreds of npm packages, including those from Zapier, ENS, AsyncAPI, PostHog, and Postman. The malware executes during installation, granting attackers access to developer machines and CI/CD environments. Over 132…

Du'aine Davis

Observed in the wild

On 24 November, the second wave of the Shai-Hulud supply-chain attack compromised hundreds of npm packages, including those from Zapier, ENS, AsyncAPI, PostHog, and Postman. The malware executes during installation, granting attackers access to developer machines and CI/CD environments. Over 132 million monthly downloads are affected, with secrets exfiltrated to public GitHub repositories titled “Sha1-Hulud: The Second Coming.”
The worm installs via malicious npm packages, leveraging scripts like setup_bun.js to deploy bun_environment.js. It uses TruffleHog to harvest API keys, tokens, and credentials, then publishes stolen data to randomly named GitHub repos. If authentication fails, it wipes the user’s home directory. The malware also attempts to propagate by publishing infected packages back to npm, amplifying ecosystem-wide compromise.
Security teams should audit npm dependencies (especially Zapier/ENS-related), rotate all GitHub, npm, cloud, and CI/CD secrets, and disable npm postinstall scripts in CI pipelines. Pin package versions, enforce MFA on GitHub and npm accounts, and monitor for GitHub repos with the description “Sha1-Hulud: The Second Coming.” Use tools like Microsoft Defender for Endpoint and Safe-Chain to detect anomalous behaviour and block malicious packages.

Shai Hulud 2.0 Strikes Again: Malware Supply-Chain Attack Hits Zapier & ENS Domains

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

Update:The Shai Hulud v2 campaign, initially focused on the npm ecosystem, has now spilled over into Java/Maven. The Maven Central artifact org.mvnpm:posthog-node:4.18.1 was found embedding the same Bun-based malicious payload (bun_environment.js, SHA-1: d60ec97eea19fffb4809bc35b91033b52490ca11) and loader (setup_bun.js) used in the npm compromise. This indicates that PostHog releases were impacted across both npm and Maven ecosystems via the same payload.On 25 November,

18:06 UTC: Maven Central confirmed investigation; noted org.mvnpm artifacts are auto-generated from npm packages and committed to preventing rebundling of known compromised components.
18:50 UTC: PostHog confirmed they do not publish to Maven; the malicious npm version was already removed, and the Maven artifact was a mirrored copy.
22:44 UTC: Maven Central purged affected components and implemented measures to block reintroduction.

Shai Hulud Strikes Again (v2) - Socket

See what's trending

Click on a tag to discover all the published content related to it.