A significant security alert has been issued by multiple vendors concerning a fresh supply chain attack against the npm registry, ominously named Sha1-Hulud. This campaign, which surfaced with malicious package uploads between November 21 and 23, 2025, has already compromised hundreds of npm packages. Reports from numerous security firms, including Aikido, JFrog, ReversingLabs, and Wiz, confirm that popular packages from organizations like Zapier, Postman, and ENS Domains have been impacted. This new iteration is particularly concerning because it executes malicious code during the preinstall phase, drastically increasing the potential exposure of both build and runtime environments.
The Sha1-Hulud campaign is highly reminiscent of the Shai-Hulud attack that occurred in September 2025. Both campaigns share the goal of stealing developer secrets and also publish the stolen data to GitHub, with the current wave adding the repository description: “Sha1-Hulud: The Second Coming.” The initial wave of attacks involved compromising legitimate packages to inject malicious code. This code would then use a credential scanner, such as TruffleHog, to search developer machines for sensitive secrets and transmit them to an attacker-controlled external server. A key feature of the prior attack was its self-replicating nature, where the malicious variant would re-publish itself into other npm packages owned by the compromised maintainer, facilitating rapid spread.
The latest set of attacks introduces a new mechanism for execution. The attackers modify the package.json file to include a preinstall script (“setup_bun.js”). This script is designed to silently install or locate the Bun runtime and execute a bundled malicious script named “bun\_environment.js”. This malicious payload initiates a complex, multi-stage attack. One workflow involves registering the infected machine as a self-hosted runner named “SHA1HULUD.” It then adds a vulnerable GitHub workflow (.github/workflows/discussion.yaml) that runs specifically on this self-hosted runner, allowing the attacker to execute arbitrary commands on the infected machine simply by opening a discussion in the GitHub repository.
The second workflow focuses on data exfiltration. The malware steals all GitHub Actions secrets and uploads them as an artifact to a file named “actionsSecrets.json” in the attacker’s exfiltration repositories. Once the data is downloaded from the artifact, the malicious workflow is promptly deleted to remove evidence of the activity. Furthermore, security vendors like HelixGuard have noted that the malware downloads and runs TruffleHog to scan the local machine, continuing to steal highly sensitive information such as NPM Tokens and cloud credentials (AWS, GCP, Azure), along with environment variables.
The rapid, automated replication tied to the Sha1-Hulud campaign has created a massive blast radius. The attack has already affected over 27,000 repositories, impacting approximately 350 unique users, with a concerning rate of 1,000 new repositories being added every 30 minutes. This new iteration is highly versatile, supporting Linux, macOS, and Windows platforms. It also employs a novel technique called cross-victim exfiltration, where a victim’s stolen secrets are pushed to a public repository owned by a separate, unrelated victim. To further complicate detection, the exfiltrated data is subjected to three layers of Base64-encoding before being uploaded.
Reference:
