A large scale malware outbreak is sweeping through the npm ecosystem, compromising hundreds of packages and leaking sensitive developer secrets to GitHub at an unprecedented rate. The campaign, linked to a new variant of the Shai Hulud malware, has already impacted major projects across Zapier, ENS Domains, AsyncAPI, PostHog, Postman, Browserbase, and dozens of smaller ecosystems.
Security researchers warn that this wave is significantly more destructive than earlier Shai Hulud incidents. The malware now steals GitHub and npm tokens, uploads secrets to freshly created GitHub repositories, and can even wipe a victim’s entire home directory if it fails to authenticate or propagate. The attack is evolving rapidly, with some researchers tracking more than 800 compromised packages and over 27,000 GitHub repositories containing leaked secrets.
Shai Hulud first appeared in September, but its operators returned this week with a large, coordinated supply chain attack. By planting trojanized versions of popular packages on the npm registry, the attackers infected development environments and CI/CD pipelines within minutes of publish. The malicious packages executed during installation, before the legitimate dependency was even fully installed, giving the malware early access to local machines, cloud credentials, and source code repositories.
The Second Coming: A More Destructive Version
According to researchers at Aikido Security, Wiz, and Koi Security, this new Shai Hulud variant represents a major escalation. Instead of injecting a small payload, the attackers now deploy a two stage mechanism.
The first file, named setup_bun.js, masquerades as a harmless Bun installer. Its job is to load a massive, heavily obfuscated second file called bun_environment.js, which acts as the full malware engine. That file weighs over 10MB and contains thousands of hex encoded strings, anti analysis loops, and obfuscated function calls that make static inspection extremely difficult.
Once running, Shai Hulud performs several actions in sequence:
- Installs Bun and reloads environment variables
- Scans for secrets using TruffleHog like search logic
- Collects GitHub tokens, npm tokens, cloud platform keys, and CI/CD credentials
- Creates a new GitHub repository referencing “Sha1 Hulud: The Second Coming”
- Uploads the stolen secrets in JSON files
- Attempts to push new malicious packages to npm
But the most alarming capability is new: if the malware cannot authenticate to GitHub or npm and fails to establish any exfiltration path, it destroys the victim’s home directory. Koi researchers confirmed that the destructive wipe triggers only under specific conditions, but noted that the logic is intentionally punitive.
Mass Infection Across Major Ecosystems
The scale of the outbreak is far larger than anything previously seen with Shai Hulud. Aikido Security observed the first packages being infected at 3:16 AM UTC on November 24. Within an hour, attackers had compromised 36 AsyncAPI packages, followed by dozens belonging to Zapier, ENS, PostHog, and Postman.
Researchers discovered that the attackers were also using compromised GitHub accounts, creating new branches and committing malicious files directly to project repositories. One example was found in the AsyncAPI CLI repository, where bun_environment.js appeared in a freshly created branch only minutes before infected packages were published on npm.
Wiz researchers reported that the threat actor had access to more than 350 npm maintainer accounts and was adding up to 1,000 malicious packages every half hour. Many of these packages contained slightly different payloads or incomplete variants, likely due to errors or inconsistencies on the attacker’s side.
In total, researchers estimate the campaign has now generated:
- Over 800 confirmed malicious packages
- More than 27,000 GitHub repositories leaking secrets
- Dozens of compromised maintainer accounts across npm
- Millions of downloads for infected packages across all ecosystems
Several compromised packages have extremely high install counts, especially those tied to Zapier’s integration tooling and the ENS Domains ecosystem. PostHog, AsyncAPI, and Postman packages were also hit particularly hard due to their popularity in enterprise environments.
A Major Supply Chain Security Breakdown
The attack comes during a critical period for npm. The registry recently announced that legacy classic tokens will be revoked on December 9, urging developers to adopt “trusted publishing” workflows. With many still in the transition phase, attackers appear to have exploited the window of opportunity, leveraging old credentials and weak protections to push malicious versions.
The nature of the attack means that any developer who installed one of the compromised packages, even if only through a transitive dependency, may have exposed cloud infrastructure, GitHub organizations, or production systems. Because Shai Hulud triggers during the pre install stage, the malware executes before dependency trees resolve, forcing security teams to evaluate build logs, CI history, and environment variables from the moment an infected package entered their pipeline.
What Users Should Do Now
Security teams are urged to treat this as an urgent incident. Recommended actions include:
- Identify all compromised packages from Aikido, Wiz, and Koi tracking pages
- Downgrade to known safe versions
- Rotate GitHub, npm, and cloud credentials immediately
- Audit for unexplained GitHub repositories containing stolen secrets
- Check developer machines for suspicious installs of Bun or unexpected JavaScript files
- Disable postinstall scripts in CI wherever possible
- Require MFA for all GitHub and npm maintainer accounts
Security researchers warn that the fallout from this incident may continue for weeks. Because secrets were pushed to public GitHub repositories, stolen credentials could already be in the hands of multiple threat actors. Attackers may use them to publish more malicious packages, access corporate codebases, or escalate to cloud environments long after the initial compromise.
This story is still developing. Updates will follow as security teams continue to track the scope of the attack, identify affected packages, and analyze additional variants of the Shai Hulud malware spreading across the npm ecosystem.
