Major Credential Theft Hits 25,000+ Repositories in Sha1-Hulud npm Wave
Recent attacks dubbed the Sha1-Hulud npm wave have compromised over 25,000 repositories, raising alarms across the security community. Security firms Aikido, HelixGuard, Koi Security, Socket, and Wiz have reported that these attacks utilize trojanized npm packages. The malicious packages were uploaded to the npm registry between November 21 and 23, 2025.
Details of the Sha1-Hulud Attacks
This new supply chain threat is an evolution of the previous Shai-Hulud attack, which surfaced in September 2025. Researchers from Wiz noted that the Sha1-Hulud campaign implements a new variant that executes harmful code during the preinstall stage, increasing the risk of exposure in development environments.
Malicious Activities
The trojanized packages include a preinstall script named “setup_bun.js” that stealthily installs the Bun runtime. It also executes a bundled malicious script, “bun_environment.js.” The malware performs several actions:
- Registers the infected machine as a self-hosted runner called “SHA1HULUD.”
- Creates a workflow with an injection vulnerability named .github/workflows/discussion.yaml.
- Exfiltrates secrets from the GitHub secrets section and uploads them to a file named “actionsSecrets.json.”
The malware can scan the local machine using TruffleHog to steal sensitive data, including npm tokens and cloud provider credentials.
Impact and Statistics
Wiz has identified more than 25,000 repositories affected by the Sha1-Hulud malware, involving around 350 unique users. Alarmingly, around 1,000 new compromised repositories were added every 30 minutes during the last few hours of the attack window.
Koi Security has labeled this latest wave as significantly more aggressive. In cases where the malware fails to authenticate or secure persistence, it triggers a destructive sequence that erases files in the victim’s home directory, depending on certain conditions.
Mitigation Strategies
To defend against these threats, organizations are advised to implement several practices:
- Scan all endpoints for compromised packages.
- Remove any infected versions immediately.
- Rotate all credentials to prevent unauthorized access.
- Audit repositories for any suspicious activities and unusual workflows.
As the threat landscape evolves, continued vigilance will be essential for developers and organizations to secure their environments against such sophisticated supply chain attacks.
