A new wave of cyberattacks is causing concern among security experts, with over 25,000 repositories at risk. This second wave, dubbed Sha1-Hulud, is a follow-up to the Shai-Hulud attack that made headlines in September 2025. But here's where it gets controversial: the latest campaign has taken a more aggressive approach, potentially leading to catastrophic data loss for victims.
Multiple security vendors, including Aikido, HelixGuard, Koi Security, Socket, and Wiz, have reported on this new supply chain attack. The attackers have compromised hundreds of npm packages, introducing a malicious variant that executes during the preinstall phase. This significantly increases the potential impact on build and runtime environments.
Just like the previous attack, Sha1-Hulud publishes stolen secrets to GitHub, this time with a telling repository description: "Sha1-Hulud: The Second Coming." The malicious code is designed to search for secrets on developer machines and transmit them to the attacker's server. What's more, the infected variants can self-replicate by republishing themselves into other npm packages owned by the compromised maintainer.
In the latest attacks, the attackers have been found to manipulate the package.json file by adding a preinstall script called "setupbun.js." This script stealthily installs or locates the Bun runtime and executes a bundled malicious script, "bunenvironment.js." The malicious payload then carries out a sequence of actions through two different workflows.
First, it registers the infected machine as a self-hosted runner named "SHA1HULUD" and adds a workflow that contains an injection vulnerability. This allows the attacker to run arbitrary commands on the compromised machines by opening discussions in the GitHub repository. Second, it exfiltrates secrets defined in the GitHub secrets section and uploads them as an artifact, before deleting the workflow to cover its tracks.
Wiz researchers Hila Ramati, Merav Bar, Gal Benmocha, and Gili Tikochinski noted that the malware also downloads and runs TruffleHog to scan the local machine for sensitive information. This includes NPM Tokens, AWS/GCP/Azure credentials, and environment variables, which are then stolen by the attacker.
Wiz has identified over 25,000 affected repositories across approximately 350 unique users. In the last couple of hours, 1,000 new repositories have been added consistently every 30 minutes. This campaign continues the trend of npm supply-chain compromises referencing Shai-Hulud, but it may involve different actors.
Koi Security describes the second wave as significantly more aggressive. If the malware fails to authenticate or establish persistence, it attempts to destroy the victim's entire home directory, including all writable files owned by the current user under their home folder. However, this destructive functionality is only triggered under specific conditions, such as the inability to authenticate with GitHub, create a GitHub repository, fetch a GitHub token, or find an npm token.
Security researchers Yuval Ronen and Idan Dardikman explain that Sha1-Hulud resorts to data destruction if it cannot steal credentials, obtain tokens, or secure an exfiltration channel. This marks a significant escalation from the first wave, indicating a shift in the actor's tactics from data theft to punitive sabotage.
To mitigate the risk posed by Sha1-Hulud, organizations are urged to take immediate action. This includes scanning all endpoints for impacted packages, removing compromised versions, rotating all credentials, and auditing repositories for persistence mechanisms. Specifically, organizations should review .github/workflows/ for suspicious files such as shai-hulud-workflow.yml or unexpected branches.
This developing story will be updated as new details emerge. Stay tuned for more exclusive content on Google News, Twitter, and LinkedIn.
