November 24, 2025

3 Min Read

Sha1-Hulud malware is an aggressive npm supply-chain attack compromising CI/CD and developer environments. This blog addresses frequently asked questions and advises cloud security teams to immediately audit for at least 800 compromised packages.

A massive resurgence of the Sha1-Hulud malware family, self-titled by the attackers as "The Second Coming," was observed around Nov. 24 targeting the npm ecosystem. Attackers compromised at least 800 high-profile publisher accounts to upload trojanized versions of legitimate packages. Unlike previous iterations, these versions have new payloads and execute using install lifecycle scripts to compromise developer environments and CI/CD pipelines at scale. This time, the malware is significantly more aggressive than the previous campaign, including attempts to destroy the victim’s home directory and, in some cases, even delete all writable files owned by the user.

Frequently asked questions about Sha1-Hulud: The Second Coming

What is the initial vector of this new campaign?

The attack chain begins when a developer installs a compromised package containing a modified manifest file. The adversary injects a preinstall lifecycle script into package.json that immediately triggers a file named setup_bun.js upon installation.

Unlike typical supply chain attacks that execute malicious logic directly through the Node.js process, this script automatically downloads and installs the Bun runtime, a separate JavaScript environment. Once installed, the malware uses the Bun binary to execute a bundled payload, often named bun_environment.js. This "bring your own runtime" technique effectively allows the malicious code to operate outside the visibility of standard Node.js security tools and static analysis scanners that monitor the primary build process.

What is the impact of this campaign?

The blast radius of this campaign is extensive. Tens of thousands of GitHub repositories are reportedly affected. It extends to high-profile integrations, including ones from Zapier, ENS Domains, and Postman. By hijacking trusted publisher accounts rather than using typosquatting, the attackers successfully poisoned the supply chain at a fundamental level. This forced malicious code into thousands of corporate environments simply through routine dependency updates.

What are the immediate steps cloud security teams can take to address this issue?

• Audit your environment: Use a security scanner to check if you have malicious versions of the affected packages (see list below).
• Remove them by upgrading to a later version.

Which Tenable products can be used to address these malicious packages?

Tenable automatically and proactively detects malicious packages associated with Shai-Hulud campaigns across both on-premises and cloud environments.

This isn't a one-time check. Tenable Nessus and Tenable Cloud Security, our cloud-native application protection platform (CNAPP), continuously monitor for new indicators of compromise (IOCs) and track research associated with this evolving campaign. As Shai-Hulud adapts its tactics, our threat intelligence and risk analysis capabilities update in real-time, ensuring your defense remains current and effective.

Plugin ID 265897 can be used to identify compromised packages affected in the Sha1-Hulud campaigns.

Tenable Cloud Security classifies affected packages as malicious; detected packages will appear in your Tenable Console environment the next time data is synced.

An appendix with a full listing of affected packages is available here.