Summary

A new wave of NPM supply-chain attacks, collectively named Sha1-Hulud 2.0, has compromised multiple high-profile package scopes, including Zapier and ENS Domains. The trojanized packages contain malicious preinstall scripts that harvest secrets from developer environments and CI pipelines, exfiltrate data through GitHub repositories and workflows, and attempt self-propagation. The campaign represents a major escalation in NPM ecosystem threats, blending stealthy loaders, automated spreading, and destructive fallback behavior.

Affected Systems

Systems at Risk

• Node.js / npm environments installing compromised packages.
• CI/CD systems (particularly GitHub Actions) that run installation scripts.
• Developer workstations with global or local installs.
• GitHub repositories tied to developer and organization accounts (due to malicious workflow creation).

Known Affected Package Scopes

(Partial List, for the full exhaustive list please see the appendix of https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains)

• Zapier:
  • zapier-platform-core, zapier-platform-cli, zapier-platform-schema, @zapier/secret-scrubber, additional @zapier/* pac
  ‍
• ENS Domains:
  • @ensdomains/ens-validation, @ensdomains/content-hash, @ensdomains/ensjs, @ensdomains/ens-contracts, @ensdomains/address-encoder, and more.
  ‍
• Other Ecosystem Packages:
  • Packages in the PostHog, Postman, and AsyncAPI ecosystems.

Technical Details

The attack is similar to its predecessor, and follows a similar flow with some minor changes. The attack format follows the steps below, and notably now includes the capability for destructive actions.

1. Maintainer Account Compromise
   Attackers gained access to npm maintainer accounts under targeted scopes and published malicious package versions.
2. Malicious preinstall Execution
   The trojanized packages embed a preinstall script, executed automatically on installation. This script:
   
   • Retrieves or installs the Bun JavaScript runtime.
     
   • Executes obfuscated payloads such as bun_environment.js.
3. Credential Harvesting
   The payload collects sensitive information:
   
   • Environment variables
   • Cloud credentials (AWS/GCP/Azure)
   • GitHub tokens, npm tokens
   • Secrets detected via automated scanners
     Collected data is saved to local files (e.g., cloud.json, environment.json).

4. GitHub-Based Exfiltration & Persistence
   The malware:
   
   • Registers the host as a self-hosted GitHub runner named SHA1HULUD.
   • Pushes malicious GitHub Actions workflows (discussion.yaml) that exfiltrate secrets.
   • Creates a GitHub repository named Shai-Hulud containing exfiltrated data (double-encoded).

5. Automated Propagation
   The malware:
   
   • Uses stolen npm tokens to identify other packages owned by the compromised maintainer.
   • Automatically publishes new malicious package versions — enabling worm-like spread.

6. Destructive Fail-Safe Behavior
   If credential exfiltration fails, some variants may attempt to wipe the user’s home directory, increasing operational impact.

Mitigation

To reduce risk from the ongoing NPM supply chain attacks, the following is recommended:

1. Identify & Remove Compromised Packages‍
   
   • Uninstall affected packages and downgrade to known-clean versions.
     
   • Clear local caches:
     npm cache clean --force

2. Immediate Credential Rotation‍
   
   • Revoke and regenerate:
     
     • GitHub PATs
     • npm tokens
     • SSH keys
     • Cloud provider keys
   • Enforce phishing-resistant MFA on all developer accounts.

3. Audit GitHub Repositories & Workflows
   Look for:
   
   • Repositories named Shai-Hulud‍
   • Suspicious workflow files in .github/workflows/‍
   • Unexpected GitHub runner registrations
   • Strange branches (e.g., shai-hulud)

4. Harden CI/CD Security‍
   
   • Disable or restrict the execution of lifecycle scripts in CI.
   • Enforce outbound network filtering on build systems.
   • Replace long-lived tokens with short-lived or OIDC-issued credentials.

6. Governance & Developer Guidance
   
   • Enforce package signing or verification (where supported).
   • Require 2FA on npm accounts.
   • Provide secure package publishing training.

Indicators of Compromise (IoCs)

The CFC is closely monitoring the ongoing campaign and will provide further updates as necessary. Additionally a threat hunting campaign will be launched based on any available IOC's.

1. File & Directory Artifacts

2. Network & Exfiltration Indicators

3. Suspicious GitHub Behaviors

What the Cyber Fusion Center is Doing

The CFC is closely monitoring the ongoing campaign and will provide further updates as neccessary. Additionally a threat hunting campaign will be launched based on any available IoC's.

References

• https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
• https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack