The newest iteration of the Shai-Hulud worm that ran through the open npm repositories only two months ago is cutting a wider swath this month, creating tens of thousands of malicious repositories across about hundreds of GitHub users, with the number of compromised packages reaching at least 700.

And the info-stealing malware is accelerating the attack, with about 1,000 new repositories surfacing every 30 minutes, according to security researchers at cybersecurity firm Wiz.

“Popular projects from Zapier, ENS Domains, PostHog, and Postman were temporarily trojanized, leading to GitHub repos populated with stolen victim data,” they wrote in a report. “Some of these packages are highly prevalent, occurring in roughly 27 % of cloud and code environments scanned by Wiz.”

About a dozen cybersecurity firms have reported on the fast-propagating worm, and while the numbers they’re reporting may vary a bit – ReversingLabs researchers have the number of GitHub repositories created by Sha1-Hulud: Second Coming malware at more than 27,000 – it’s clear that the scope and impact of the attacks are significantly larger than the first one in September, when JFrog researchers saw an initial 459 publicly identified packages and another 181 compromised packages.

Included among the compromised packages are AsyncAPI related packages, including @asyncapi/specs, which ReversingLabs co-founder and Chief Software Architect Tomislav Peričin wrote has “more than 100 million lifetime- and an average of 1.4 million weekly downloads. This package in particular is also believed to be the ‘patient-zero’ package for this wave of attack, meaning it is the first known infected package.”

A ’Significant Supply Chain Incident’

The “malicious code that steals and publicly exposes developer credentials, marking one of the most significant supply chain incidents of recent months,” wrote Ashish Kurmi, co-founder and CTO of Step Security. “The ‘Sha1-Hulud: The Second Coming’ attack demonstrates that supply chain security remains one of the most critical challenges facing the software development ecosystem.”

Nadav Shakarzy, product manager for Apiiro, said the new variant is a “significantly more aggressive wave of Shai-Hulud malware [that] is rapidly propagating across the npm ecosystem. … This campaign is infecting hundreds of open-source packages with a trojanized preinstall script that executes an obfuscated Bun-based payload. Once activated, the malware steals sensitive credentials – including API tokens, SSH keys, cloud access keys, and environment secrets – exfiltrates them to attacker-controlled GitHub repositories.”

He added that “this attack is active, fast-moving, and uniquely impactful because it targets developers, CI/CD systems, and any workflow that consumes npm packages.”

New Capabilities

Sha1-Hulud includes the capabilities found in the first iteration of the malware, but also includes significant new features that make it more difficult to connect and faster to replicate. Shakarzy noted that the previous variant relied on postintall scripts or simple credential theft. The new one is much more dangerous.

It includes embedded malicious preinstall scripts inside seemingly legitimate npm packages and the Bun-based malware files are designed to obfuscate the malware so it can be stealthily executed. In addition, according to JFrog, while the previous Shai-Hulud attack created GitHub repositories that contained the exfiltrated credentials using a naming system that includes the user’s name and “shai-hulud,” this time the payload generates a random repository name.

In addition, in the latest attack, the malware looks to cause damage if data exfiltration fails by trying to wipe the user’s home directory.

“This combination of stealth, credential breadth, and destructive potential makes Shai-Hulud 2 one of the most impactful supply chain attacks of the year,” Shakarzy wrote.

From Infiltration to Exfiltration

The attacks start with the bad actors injecting a malicious preinstall script into package.json, creating trojans of legitimate packages, and then downloading or obfuscating Bun payloads in developer environments, CI pipeline, or production builds.

The malware then harvests credentials, including developer machine credentials, GitHub and npm tokens cloud credentials for Amazon Web Services (AWS), Microsoft Azure, and Google, and secrets in .env files, environment variables, or workspace settings. The data is uploaded to attackers’ GitHub repositories that are created for each victim and, if the exfiltration fails, the malware tries to wipe the user’s home directory.

The Attack’s Reach is Long

“If a developer installs one of these bad packages, the malware quietly runs during installation, before anything even finishes installing,” wrote Charlie Eriksen, security researcher at Akido Security. “This gives it access to the developer’s machine, build systems, or cloud environment. … If those stolen secrets include access to code repositories or package registries, attackers can use them to break into more accounts and publish more malicious packages, helping the attack spread further.”

Trusted ecosystems were involved and millions of downloads affected, so teams using npm need to check whether they were affected and rotate credentials that may have leaked, he wrote.

GitGuardian researchers Guillaume Valadon and Gaetan Ferry wrote that the evolution of Shai-Hulud from September to November shows how supply chain attacks are getting smarter and threat actors are learning from their own and others’ previous campaigns and adapting their techniques.

“Moving from easily blocked endpoints to using stolen credentials for exfiltration through legitimate GitHub repositories is a clear example of this learning in action,”Valadon and Ferry wrote.

Dodging AI

Garrett Calpouzos, principal security researcher with Sonatype, the evolution includes planning for AI-powered defense tools. Calpouzos noted how the latest variant is split into two files that add extra steps but seemingly aren’t directly related to exploitation. The first checks for and installs a non-standard bun JavaScript runtime, and then uses bun to execute the actual massive malicious source file that publishes stolen data to .json files in the randomly named GitHub repository.

“What’s particularly interesting is how the size and structure of the file appear to confuse AI analysis tools,” he said. “It’s so large that it exceeds a normal context window and the models can’t keep track of everything they’re reading. I’ve asked both ChatGPT and Gemini to analyze it and I get different answers each time. Looking at [the models’] reasoning, they’re searching for obvious malware patterns — like calls to suspicious domains — and not finding any, so they incorrectly conclude it’s just a legitimate session or token management library.”

Calpouzos called the it “a clever evolution. The attackers aren’t just hiding from humans, they’re learning to hide from machines, too.”