Home
Our Services
Free resources
- Privacy Research
  Free to use data privacy research
  Key Capabilities
  Latest privacy news tracking
  Product versions
  Latest privacy news tracking
  Track the latest news, breaches and fines
  Key features
  Tracks the latest breaches and fines
  View by industry
  View by breach method
  View by privacy topic
  Links to original articles
  Free to use
  
  Learn more »
  Latest Threat Intelligence
  Product versions
  Latest Threat Intelligence
  Track the Common Vulnerability Exposures (CVEs)
  Key features
  Tracks the latest vulnerabilities
  View by company
  View by breach method
  Links to NVD
  Free to use
  
  Learn more »
  Breach modelling and ROI calculator
  Product versions
  Breach modelling and ROI calculator
  Model what a breach would look like for you in your industry and use this to calculate your return on investment
  Key features
  Model your breach
  Assess the severity
  Compare by industry
  Breakdown costs
  Export to your business plan
  Free to use
  
  Learn more »
Privacy news
Company
- About Us
- FAQ
- Contact Us

ShaiHulud malware infects 500 npm packages leaks secrets on GitHub

pClickFix attack uses fake Windows Update screen to push malwareppMicrosoft Windows 11 24H2 bug crashes Explorer and Start MenuppHarvard University discloses data breach affecting alumni donorsppShaiHulud malware infects 500 npm packages leaks secrets on GitHubppMalicious Blender model files deliver StealC infostealing malwareppClickFix attack uses fake Windows Update screen to push malwareppRealestate finance services giant SitusAMC breach exposes client datappSCCM and WSUS in a Hybrid World Why Its Time for Cloudnative PatchingppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppHow to remove Antivirus 2009 Uninstall InstructionsppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppHundreds of trojanized versions of wellknown packages such as Zapier ENS Domains PostHog and Postman have been planted in the npm registry in a new ShaiHulud supplychain campaignppThe malicious packages have been added to NPM Node Package Manager over the weekend to steal developer and continuous integration and continuous delivery CICD secrets The data is automatically posted on GitHub in encoded form ppAt publishing time GitHub returned 27600 results corresponding to entries related to the recent attackppWhen the ShaiHulud malware first appeared in the npm space in midSeptember and it compromised 187 packages with a selfpropagating payload that used the TruffleHog tool to steal developer secretsppThe threat actor automatically downloaded legitimate packages modified the packagejson file to inject a malicious script and then published them on npm using compromised maintainer accountsppCharlie Eriksen malware researcher at developerfocused security platform Aikido Security discovered the new campaign earlier today when there were 105 trojanized packages with ShaiHulud indicators Since then the number grew to 492 counting only the package namesppLater the researcher warned that the secrets stolen in the supplychain attack were leaked on GitHubppHowever the campaign has grown exponentially to more than 27000 malicious packages Threat researchers at Wiz cloud security platform discovered around 350 unique maintainer accounts used in the campaign noting that 1000 new repositories are being added consistently every 30 minutes in the last couple of hoursppEriksen clarified for BleepingComputer that the repositories on GitHub are indicative of compromised developers that used trojanized npm packages and thad GitHub credentials on their environmentppA technical analysis of the new ShaiHulud malware analysis from CICD security company Step Security explains that the new payloads are present in two files one being setupbunjs a dropper disguised as a Bun installerppThe second file is called bunenvironmentjs and is sizeable at 10MB It relies on extreme obfuscation techniques Step Security says such as a large hexencoded string with thousands of entries an antianalysis loop and an obfuscated function to retrieve every string in the codeppStep Security describes five stages the malware executes during the attack which include exfiltrating secrets GitHub and npm tokens secrets for cloud platforms like AWS GCP and Azure and a destructive step that overwrites the victims entire home directoryppKoi Security a company providing protection solutions for selfprovisioned software tracks more than 800 npm packages compromised by ShaiHulud counting all infected versions of a packageppThe researchers confirmed the destructive step in the new ShaiHulud variant saying that the overwrite occurs only when a set of four conditions are metppDeleting a users home folder happens if the malware cannot authenticate to GitHub create a repository on the platform fetch a GitHub token or find an npm tokenppAccording to Wiz the malicious code collects developer and CICD secrets and publishes them to GitHub repositories with names referencing ShaiHulud The malicious code executes only during the preinstall stage and creates the following filesppStolen secrets are published on GitHub to automaticallygenerated repositories that have the description Sha1Hulud The Second ComingppIt appears that the threat actor has also gained access to GitHub accounts that they are now using to create repositories with the four files aboveppGitHub is deleting the attackers repositories as they emerge but the threat actor appears to be creating new ones very fastppOn the list of 186 packages that Aikido Security found to be compromised with a new version of the Shai Hulud malware there are multiple packages from Zapier ENS Domains PostHog and AsyncAPIppThe compromised Zapier packages constitute the official toolkit for building Zapier integrations and are essential for Zapier developersppThe EnsDomains packages are tools and libraries widely used by wallets DApps exchanges and the ENS Manager app to handle eth names resolving them to Ethereum addresses linking IPFS content validating names and interacting with the official ENS smart contractsppAll of the compromised packages are available for download from npm However in some cases the platform displays a warning message about unauthorized publication of the latest version indicating that the automated review has caught signs of a compromiseppDevelopers are advised to check Aikidos post for the complete list of the infected packages downgrade to safe versions and rotate their secrets and CICD tokens immediatelyppWiz researchers recommend security teams to first identify the compromised packages and replace them with legitimate ones They also urge organizations to rotate all credentials tied to npm GitHub and cloud providersppAikido Security advises developers to disable npm postinstall scripts during continuous integration if possibleppThe return of Shai Hulud comes at a time when GitHub introduced additional security measures to prevent supplychain attacks on npm following a series of highimpact attacks on the platform However the measures are being implemented graduallyppBleepingComputer attempted to contact NPM about the campaign but our emails bounced as undeliverableppUpdate November 24 1028 AM Article updated with information from Koi SecurityppWhether youre cleaning up old keys or setting guardrails for AIgenerated code this guide helps your team build securely from the startppGet the cheat sheet and take the guesswork out of secrets managementppNew IndonesianFoods spammer floods npm with 150000 packagesppPhantomRaven attack floods npm with credentialstealing packagesppBIG sabotage Famous npm package deletes files to protest Ukraine warppGoogle exposes BadAudio malware used in APT24 espionage campaignsppMalicious NPM packages abuse Adspect redirects to evade securityppNot a member yet Register NowppWhatsApp API flaw let researchers scrape 35 billion accountsppCox Enterprises discloses Oracle EBusiness Suite data breachppIberia discloses customer data leak after vendor security breachppGet The CISOs Guide to Stopping Ransomware with PhishingResistant MFAppCMMC Made Simple Get auditready with Huntressfaster easier and more affordableppReview of Passwork Affordable EnterpriseGrade Password ManagerppEmpowering IT teams with intelligencedriven cyber threat researchppWorried about finance scams Get Avast Free Antivirus with intelligent online scam detectionppWhy your DevOps stack data might be more vulnerable than you think and how to address itppWSUS cant keep up in a remotefirst world Cloudnative patching fixes what VPNs never couldppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp

Read the original article 24 Nov 2025

Key Capabilities

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

ShaiHulud malware infects 500 npm packages leaks secrets on GitHub