Approximately 640 NPM packages have been infected with a new variant of the Shai-Hulud self-replicating worm in a fresh wave of attacks.
The first Shai-Hulud iteration emerged in mid-September, when it infected over 180 packages in a supply chain attack leading to the exposure of GitHub, NPM, AWS, and Google Cloud credentials, Atlassian keys, and Datadog API keys.
Upon execution on a victim’s system, the malware would search for NPM tokens, enumerate the packages the victim has access to, inject them with a post-install script to propagate itself, repackage them, and then publish the malicious package versions to the repository.
Within days, the malware compromised dozens of developer accounts and published over 700 malicious package versions. It also harvested credentials and other secrets from the victim and published them to public repositories, and migrated private repositories to public ones.
In the fresh version of the supply chain attack, launched over the weekend, the Shai-Hulud worm is even more aggressive and has been updated with destructive capabilities, security researchers warn.
Unlike the previous version, the new Shai-Hulud samples rely on the NPM packages’ preinstall scripts for propagation, which “dramatically widens the blast radius across dev machines and CI/CD pipelines,” cybersecurity outfit Wiz warns.
The worm drops two files, named ‘setup_bun.js’ and ‘bun_environment.js’, which contain a loader and the actual payload, respectively. According to Wiz, it also adds multiple GitHub Actions workflows, including a backdoor that supports command execution triggered via discussions in the GitHub repository.
JFrog also observed that a system’s DNS would be hijacked following infection and that, if the worm does not find GitHub or NPM tokens to abuse, it executes a wiping function to delete all user data on Windows and erase all files and empty directories on Unix-based systems.
The malware also launches privileged Docker containers and modifies sudoers files to gain root access for privilege escalation, Upwind notes.
Wiz and Upwind said on Monday that they identified over 25,000 malicious repositories published by the malware. Wiz warned that it was seeing approximately 1,000 new packages being published every 30 minutes.
The same as in September, Shai-Hulud seeks to harvest developer secrets, including tokens, cookies, and local workspace data, which it uploads to GitHub repositories under the attackers’ control.
As ReversingLabs explains, the data exfiltration repositories associated with the attack have random names and the ‘Sha1-Hulud: Second Coming’ description. The company has identified 27,000 such repos.
Unlike the previous version, the new Shai-Hulud iteration can infect up to 100 NPM packages maintained by any of its victims. The first trojanized package distributing the worm might have been @asyncapi/specs, which has roughly 1.4 million weekly downloads, ReversingLabs says.
Aikido says it detected 36 packages from AsyncAPI that were trojanized, and that the attack later spread to PostHog packages, Postman packages, and many others.
“Threat actors have slipped malicious code into hundreds of NPM packages — including major ones from Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman. If a developer installs one of these bad packages, the malware quietly runs during installation, before anything even finishes installing,” Aikido warns. The compromised packages have a combined monthly download count of over 130 million.
As Upwind points out, what makes the fresh supply chain attack a major threat is the speed and automation in turning each infected maintainer into a point of amplification.
“Stolen tokens are reused instantly to republish malicious packages and inject rogue workflows, transforming Shai Hulud 2.0 into an ecosystem-wide worm rather than an isolated supply-chain incident,” Upwind notes.
According to Sonatype principal security researcher Garrett Calpouzos, another worrying aspect of the attack is how the massive malicious source file that publishes harvested data to public repos confuses AI analysis tools.
“It’s so large that it exceeds a normal context window and the models can’t keep track of everything they’re reading. I’ve asked both ChatGPT and Gemini to analyze it and I get different answers each time. Looking at their reasoning, they’re searching for obvious malware patterns — like calls to suspicious domains — and not finding any, so they incorrectly conclude it’s just a legitimate session or token management library,” Calpouzos said.
Organizations are advised to scan their systems for indicators of compromise (IoCs), rotate potentially compromised secrets (including SSH keys, GitHub and cloud credentials, and tokens), and ensure strong multi-factor authentication is enforced.
They should also review workflows and pipelines for anomalies, recreate self-hosted runners and CI agents from clean images, improve pipeline guardrails, and implement continuous monitoring to detect anomalous behavior.
“To defend against this kind of attack, dev and security teams must treat npm package management and CI/CD pipelines as part of the threat surface. This means enforcing strict token/scoped access policies, limiting or auditing lifecycle scripts (especially preinstall/postinstall hooks), monitoring secrets in build environments and using behavioral analytics to detect unusual GitHub Actions workflows or outbound connections from build hosts. Given the worm‑like nature of Shai‑Hulud, time is of the essence: any delay in rotating tokens or cleaning compromised build agents can lead to rapid spread,” SOCRadar CISO Ensar Seker said.
Related: Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks
Related: GlassWorm Malware Returns to Open VSX, Emerges on GitHub
Related: Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign
Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times
