Cyber

This article has been authored by Ryan Hicks, Vice President Cyber Threat Intelligence, Kroll

Key Takeaways

• A second wave of Shai-Hulud Node Package Manager (NPM) worm, dubbed as Sha1-Hulud, is spreading across popular packages.
• The biggest risk presented by this threat is public leakage of application secrets, particularly for GitHub, NPM, Azure, Amazon Web Services and Google Cloud Platform.
• It is highly recommended that developers check for any signs of previous installation of affected package versions and roll secrets, if so.

Kroll Threat Intelligence is tracking a second wave of ‘Shai-Hulud’ NPM compromises, named as ‘Sha1-Hulud’ (based on the GitHub action name created as well as the public repository description it creates to publish credentials).

In September 2025, the first wave of Shai-Hulud was discovered that saw many popular NPM packages updated to include a malicious pre-install function. The first campaign affected over 700 packages that led to stolen secrets, publicly posted credentials and worm-like spreading behavior to infect more packages.

For the second wave, reporting from Koi Security suggests that at the time of reporting, 800 packages have been confirmed infected, including popular packages for Zapier, Postman and asyncapi. Victims that download and install infected packages will themselves become infected through a series of actor introduced preinstall scripts located in the package: setup_bun.js and bun_environment.js. Like the previous campaign, this initiates the TruffleHog tool which is a legitimate, open-source tool used to scan for over 800 credential secret types, including:

• NPM Tokens
• GitHub
• Amazon Web Services
• Google Cloud Platform
• Microsoft Azure
• CircleCI

If GitHub credentials are found, it creates a new public repository under that developer's account with random characters for the name, where the previous campaign saw the name ‘Shai-Hulud’. These new repositories contain the description ‘Sha1-Hulud: The Second Coming’, likely a tactic used by the threat actor to make sure the repositories are easier to find, thus increasing the leak impact. Inside these public repositories is a JSON file with several layers of base-64 encoded text, that decodes to show collected TruffleHog data, including secrets and tokens from the victim. At the time of writing, over 18,000 public repositories were present, however, researchers on social media ‘X’ report up to 28,000 at its peak. Although this displays a significant victim base, it is worth noting that this figure also includes multiple repositories created for the same developer, therefore the actual unique victim number for GitHub will be lower.

Sha1-Hulud created public repositories containing secrets (Source: Kroll via GitHub)

As well as GitHub activity, Sha1-Hulud infects additional packages by downloading available packages maintained by the victim (up to 100), infects them using the same JavaScript files, then increments the package version before publishing back to NPM. These new packages are then ready to be downloaded by new victims and will continue spreading.

A new feature in Sha1-Hulud compared to its predecessor is a destructive capability. As reported during Aikido analysis, if it cannot authenticate to GitHub or cannot fetch tokens from NPM/GitHub, it will attempt to delete all writable files owned by the victim user within the home directory.

It is currently unknown which package was the first to be infected, or how it occurred. Based on recent trends in social engineering of developers on PyPi and NPM, however, it is likely that a developer with access to multiple, popular packages was socially-engineering through a spoofed email from a fake NPM address. This likely led to the first packages being infected where Sha1-Hulud spread far and wide.

Kroll Threat Intelligence continues to monitor updates related to this activity.

 

Recommendations

• Organizations should check for any existing or previous installations of any of the affected packages. Koi Security maintain an updated list of these.
• Developers should check for potential compromise by checking for new, unwarranted GitHub repositories created with the “Sha1-Hulud” description, as well as signs of previously private repositories becoming public.
• NPM developers should check for any unknown updates to their maintained packages.
• If any signs of compromise are seen, re-roll secrets that may be present on the device, particularly GitHub, NPM, AWS Google Cloud Platform and Azure.