Urgent Alert: Second Sha1-Hulud Wave Devastates npm, Targets 25,000+ Repositories

Multiple security vendors are sounding an alarm over a sophisticated and highly aggressive new wave of attacks targeting the **npm registry**, the primary repository for JavaScript development. The campaign, dubbed **"Sha1-Hulud: The Second Coming,"** has trojanized hundreds of legitimate npm packages and compromised an estimated **25,000+ repositories** in a matter of days.

Security firms including Aikido, HelixGuard, Koi Security, Socket, Step Security, and Wiz have confirmed the activity, noting that the malicious packages were uploaded between November 21 and 23, 2025. Wiz researchers reported a staggering pace, with **1,000 new affected repositories appearing consistently every 30 minutes**.

Evolving Tactics: Preinstall Credential Theft

This second wave dramatically escalates the threat seen in the original Shai-Hulud attack in September 2025. The new variant executes its malicious code during the **`preinstall` phase**—the moment a package begins downloading and installing—significantly increasing exposure in both development and automated CI/CD build environments.

The attack vector is executed through a malicious `preinstall` script (e.g., `"setup_bun.js"`) added to the package's `package.json`. This script is configured to stealthily install or locate the **Bun runtime** and execute a bundled malicious script (`"bun_environment.js"`).

Malicious Payload: Secrets, Backdoors, and Root Access

The primary goals remain the same as the first wave—stealing and publishing secrets to GitHub repositories bearing the ominous description: **"Sha1-Hulud: The Second Coming."** However, the new variant adds alarming persistence and escalation capabilities:

• Credential Harvesting: The malware downloads and runs **TruffleHog** to scan the local machine, stealing highly sensitive data like **NPM Tokens, AWS/GCP/Azure credentials,** and environment variables, according to Helixguard.
• GitHub Backdoor & Exfiltration: The malware registers the infected machine as a self-hosted runner named **"SHA1HULUD."** It then injects a malicious workflow (`.github/workflows/discussion.yaml`) that runs on this self-hosted runner, allowing the attacker to execute arbitrary commands by merely opening a discussion in the GitHub repository. It also exfiltrates all secrets defined in the GitHub secrets section.
• Privilege Escalation: The malware attempts to obtain root privileges by executing a Docker command to mount the host's root filesystem. The goal is to copy a malicious `sudoers` file, granting the attacker **passwordless root access**.
• Self-Replication: Like the prior wave, the infected packages possess the ability to propagate in a self-replicating manner by re-publishing itself into other npm packages owned by the compromised maintainer.

Punitive Sabotage: The Wiper Functionality

Koi Security has dubbed the second wave "a lot more aggressive," pointing to a destructive payload that acts as a failsafe. If the malware is unable to authenticate, obtain tokens, or secure any exfiltration channel, it defaults to **catastrophic data destruction**:

"In other words, if Sha1-Hulud is unable to steal credentials, obtain tokens, or secure any exfiltration channel, it defaults to catastrophic data destruction," researchers Yuval Ronen and Idan Dardikman stated. "This marks a significant escalation... shifting the actor's tactics from purely data-theft to punitive sabotage."

The malicious code attempts to destroy the victim's **entire home directory**, including every writable file owned by the current user under their home folder.