Cyber attackers compromised Zapier’s NPM account in late November 2025, infecting multiple packages as part of the Shai-Hulud 2.0 malware campaign, dubbed “The Second Coming” by the threat actors.
This self-replicating worm spread rapidly across the NPM ecosystem, targeting developer machines and CI/CD pipelines to steal secrets, including API keys and tokens.
The attack began around 3:16 AM GMT on November 24, exploiting unpatched GitHub Actions workflows in projects like AsyncAPI, which served as patient zero.
Packages from PostHog and Postman followed shortly after, with Zapier scopes hit next.
Shai-Hulud Mechanics and Evolution
Shai-Hulud hides in NPM package preinstall or postinstall scripts, running before the full installation completes.
The payload first checks for Bun, a fast JavaScript runtime; if it’s absent, it downloads and installs it via platform-specific commands, such as curl on Unix or PowerShell on Windows.
Once Bun runs, the core script (often named bun_environment.js) scans the victim’s environment using tools similar to TruffleHog for sensitive data, including NPM tokens, GitHub PATs, SSH keys, and cloud credentials from AWS, Azure, or GCP.
Stolen secrets are stored in JSON files and uploaded to new public GitHub repositories with descriptions like “Sha1-Hulud: The Second Coming,” now numbering over 26,000.
This wave differs from September’s first attack: it targets up to 100 packages per victim (vs. 20), uses random repo names, relies on Bun for stealth, and wipes the user’s home directory if authentication fails a destructive “dead man’s switch.”
Affected Packages and Response Steps
Over 492 NPM packages across Zapier, ENS Domains, AsyncAPI, PostHog, Postman, and others amassed 132 million monthly downloads before takedown. High-impact examples include:
| Company | Key Compromised Packages |
|---|---|
| Zapier | @zapier/zapier-sdk, zapier-platform-core |
| PostHog | posthog-node, @posthog/plugin-server |
| Postman | @postman/tunnel-agent, postman-node |
| AsyncAPI | @asyncapi/cli, @asyncapi/generator |
| ENS | @ensdomains/ensjs, ethereum-ens |
PostHog, Postman, and AsyncAPI quickly posted incident reports, revoked tokens, and urged credential rotation.
Security teams should audit dependencies for recent versions, clear NPM caches, rotate all secrets, scan GitHub for suspicious repos, disable install scripts in CI/CD, pin package versions, enforce MFA, and use SCA tools to block fresh malicious uploads.
