The npm ecosystem has been hit with a second wave of the Shai-Hulud supply-chain attacks, first spotted earlier this year. The new campaign, called “Sha1-Hulud,” compromised hundreds of npm packages uploaded between November 21 and 23, 2025, according to reports from multiple cybersecurity companies.
The campaign has infected popular packages, including those from Zapier, ENS Domains, PostHog, and Postman. Researchers say the attackers added a hidden script that runs during the preinstall phase, which gives the malware a chance to execute before the package is even fully installed.
Just like the original Shai-Hulud attack uncovered in September, the new operation steals secrets and uploads them to GitHub. The malware also behaves similarly by using TruffleHog to scan infected machines for sensitive data such as NPM tokens and cloud credentials.
However, researchers say this second wave is far more aggressive. Once the package runs, it quietly installs or finds the Bun runtime and uses it to launch another malicious script. This script registers the victim’s machine as a GitHub self-hosted runner that responds to specially crafted GitHub Discussions. Through this setup, the attackers can remotely run commands on the infected machine.
The malware then collects GitHub Actions secrets and stores them in a file that gets uploaded to attacker-controlled repositories before being wiped locally to hide its tracks.
More than 27,000 repositories across 350 users have been affected so far, with about 1,000 new repositories added every half hour.
The new version runs on Linux, macOS, and Windows, and uses one victim’s GitHub repository to store another victim’s stolen secrets. The malware searches GitHub for the “Sha1-Hulud: The Second Coming” phrase; if it finds it, it retrieves and decodes a stored GitHub token to use for further exfiltration.
The attackers also improved the malware’s ability to spread automatically. If the malware finds a valid npm token on the machine, it pulls up to 100 packages linked to that token, inserts its malicious files, updates the package version, and republishes everything to npm.
Researchers say the malware also includes destructive behavior. If it can’t steal credentials or set up an exfiltration channel, it may try to erase the victim’s entire home directory. This happens only in certain circumstances like when it can’t authenticate to GitHub or find required tokens.
The malware can also gain root access on Linux machines by spinning up a privileged Docker container, mounting the host system, and placing a malicious sudoers file that gives the attacker passwordless root privileges.