On November 24th, HelixGuard reported on a new supply-chain campaign targeting npm used to extend functionality of the popular node.js application framework. As reported by Wiz, 25,000+ GitHub repositories have been created and populated with stolen data across hundreds of users, with rapid growth observed. Affected entities include popular projects including Zapier, Postman, PostHog, and ENS Domains.

Shai-Hulud 2.0

The attack has been named "Shai-Hulud 2.0" after a similar event in September, and is using a self-replicating malware distributed through compromised npm packages. Once installed, the malicious packages will attempt to collect and exfiltrate credentials and tokens for NPM GitHub, Azure, GCP, and AWS accounts by publishing these to the victim's repositories, and self-replicate automatically through CI/CD environments.

Compromised versions of the npm packages will have the preinstall: node setup_bun.js script added as well as a large (10 MB) heavily obfuscated bun_environment.js file.

When executed, the infected packages are reported to attempt downloading and running TruffleHog, an open-source tool to scan for and collect available tokens and secrets from the host. Exfiltration of found secrets is carried out by creating a GitHub repository with the description "Sha1-Hulud: The Second Coming".

Based on reports from WIZ and Aikido, the malicious packages were first uploaded between November 21st and 23rd. GitHub is actively working on removing repositories created by the attacker.

Threat Intelligence assessment

The threat represents an overall high risk for any organisation building or running Node.js software, especially those with CI/CD that installs npm dependencies without controlled versions and uses cloud/GitHub/npm tokens.

Shai-Hulud 1.0 vs. Shai-Hulud 2.0

• Execution shifted to preinstall lifecycle scripts, increasing chances it triggers in more environments (dev + CI).
• New payload files setup_bun.js and a large obfuscated bun_environment.js.
• Ongoing automation and scale appear larger and faster than the initial wave.
• Destructive fallback when unable to steal secrets.

Attribution

No confirmed attribution at this point. It's worth noting that Wiz highlights tradecraft similarity to prior Shai-Hulud/Nx-linked activity.

Scope, targets, exposure and time frame

• Malicious versions first uploaded between November 21st and 23rd, 2025, publicly reported November 24th, 2025. The campaign is still ongoing.
• ~700 compromised packages/versions and rising.
• 25,000+ GitHub repositories created/populated with stolen data across hundreds of users, with rapid growth observed.
• Initial prevalence includes widely used packages present in a large fraction of scanned environments.

Recommendations

• Verify if any of your software or build processes are affected by the campaign.
• If you are affected; rotate all affected credentials including GitHub, npm, cloud keys, SSH keys, tokens and affected API-keys. Delete node_modules and clean the npm cache (npm cache clean --force) on all affected systems.
• Check relevant GitHub repositories for Shai-Hulud related content, including repositories with description "Sha1-Hulud: The Second Coming" or "Shai-Hulud", signs of malicious workflows, as well as repository logs for signs of non-legitimate changes.
• Consider escalation to your internal or external incident response team.
• Update to vetted versions.

For protective measures:

• Consider freezing builds and verify application dependencies.
• Enforce MFA on your GitHub and npm accounts.
• Consider pinning package versions for better dependency control.

Indicators of compromise (IOCs)

There are several sets of indicators that can be used to detect different parts of the attack chain:

A) File system IOCs

• npm package modification: a newly added preinstall in package.json that points at setup_bun.js.
• Stager: setup_bun.js appears inside an npm package version where it did not exist previously.
• Payload: bun_environment.js, typically very large (around 10MB) and heavily obfuscated, included in the package tarball.

Note: It has been reported that some infected packages include setup_bun.js, but not bun_environment.js due to attacker automation bugs. This is still considered an indicator of compromise.

B) GitHub IOCs

• GitHub repository: random name (e.g. g8qesxmrj2thel3t2r) and description Sha1-Hulud: The Second Coming.
• Files in repository:
  
  • contents.json: Github credentials and token, system information
  • environment.json: System environment variable
  • cloud.json: Collected cloud secrets
  • actionsSecrets.json: Secrets for GitHub Actions repository
  • truffleSecrets.json: Results from TruffleHog secrets scan

C) NPM IOCs

• Unexpected npm publishing: any package published from maintainer or CI accounts that is outside normal cadence, not tied to a known release, or includes new preinstall plus Bun artifacts.

D) Destructive fallback IOC

Home directory wipe: This version of Shai-Hulud contains destructive capabilities. If Shai-Hulud fails to steal credentials, it will attempt to delete any writable files in the user's home folder.