Sha1-Hulud is back with a new evolution of its supply-chain attack that targets development environments via Node Package Manager (npm). npm is a very popular package manager for Node.js that provides millions of predeveloped packages of code to be used by JavaScript developers for access to millions of packages.
This campaign trojans unsecured npm packages with malicious code that is automatically executed when developers using that package update to the trojaned version. So far, nearly 1,000 npm packages have been confirmed to be infected, which, in turn, affects tens of thousands of code repositories.
The First Campaign
Back in September 2025, Sha1-Hulud launched their first attack against npm packages. By inserting trojaned code into hundreds of unsecured npm packages, these packages were automatically “updated” locally across all development environments that relied on them. The malware had two primary components: a credential stealer and a propagation component allowing the worm behavior.
The Second Coming
The newest campaign, spotted just this week, expands on the original in several ways. In addition to the credential catcher and propagation tools, this new campaign adds a punitive “self-destruct” feature. It also adds cross-platform support, working on Linux, macOS, and Windows, and abuses GitHub Actions for remote code execution capability.
The Installation and Credential Catcher
The infected npm packages contain a preinstall script in package.json called setup_bun.js. This loader script attempts to hide its actions by pretending to install the Bun JavaScript runtime. setup_bun.js then executes bun_environment.js, an obfuscated 10MB file also embedded in the infected package.
The credential capture component searches for specific files like npm and GitHub tokens, API keys, and cloud credentials. It also uses TruffleHog to scan the system for any other useful credentials or session tokens. The malware then creates a public repository under the victim's GitHub account named "Sha1-Hulud: The Second Coming". All exfiltration files are dumped into this repository, marking the affected organization and making the files available. And not just available to threat actors, but publicly accessible to anyone.
The Worm Propagates
Another feature of Sha1-Hulud 2.0 is a propagation process to infect any new npm packages. Using npm tokens discovered during the credential capture, it will download all packages maintained by the victim. It then inserts setup_bun.js and bun_environment.js into those packages and republishes them with an incremented version number. This will trigger an automatic update for all developer environments that utilize that package.
Punitive Self-Destruct Function
If the victim discovers the compromise and attempts to cut off access to the malware, the malware will attempt to delete all files in the victim’s home directory. It doesn’t just do a simple delete either. On Windows, the malware also overwrites the disk sectors, and on Xnix systems, it uses the shred command. This makes file recovery much less likely.
Piggybacking on GitHub Actions to Execute Remote Code
Another new feature is how Sha1-Hulud 2.0 uses GitHub Actions to execute any code they want on the victim’s system. The malware creates a public repository under the victim’s account with public discussions enabled. The malware then creates a hidden directory named ~/.dev-env/, installs the GitHub Actions runner there, and uploads a malicious workflow YAML file named .github/workflows/discussion.yaml. This YAML file interprets any discussion post in the repository as a command to execute locally. Since the discussion forum is public, anyone can post in discussions something like powershell -noexit "& ""C:\My Scripts\MyEvilScript.ps1""" and have that execute on the victim’s system.
Mitigations
- Perform ongoing threat hunting for associated IoCs to discover any active compromise, especially across your development and CI/CD systems.
- Temporarily freeze any npm package updates until the full scope of this campaign is better known.
- Assume that the presence of the malware suggests that all credentials on that system have been compromised, and reset credentials accordingly.
- Revisit your supply chain security policy, including inventorying and auditing 3rd party vendors, as well as documenting the risks your organization might be at due to those relationships.
IoCs
bun_environment.js
62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0 [SHA256]
f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068 [SHA256]
cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd [SHA256]
setup_bun.js
a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a [SHA256]
