Developers woke to alarms on November 24, 2025, as Shai-Hulud malware resurfaced in a bolder attack.
This “Second Coming” affected over 800 npm packages from firms such as Zapier, ENS Domains, AsyncAPI, PostHog, and Postman.
It exposed secrets from 25,000+ GitHub repositories, timed to coincide with npm’s classic token revocation on December 9.
Attack Mechanics and Spread
Shai-Hulud acts as a self-spreading worm, inspired by Dune’s sandworms. It slips into the post-install scripts of trojanized packages.
On execution, setup_bun.js checks for Bun runtime; if missing, it downloads and installs Bun via official scripts curl for Unix, PowerShell for Windows.
It then reloads PATH, scans shell profiles such as .bashrc, and runs the core payload, bun_environment.js.
The malware hunts credentials using TruffleHog, scanning for API keys, tokens, and secrets.
It creates random GitHub repos tagged “Sha1-Hulud: The Second Coming” and publicly dumps the findings.
Attackers push up to 100 new malicious packages per victim, versus 20 in September’s first wave failure to authenticate triggers a wipe of the user’s home directory.
Patient zero hit at 3:16 AM GMT: go-template and 36 AsyncAPI packages, spreading to PostHog by 4:11 AM and Postman by 5:09 AM.
Affected scopes total 132 million monthly downloads, including @posthog/cli, @ensdomains/ensjs, and @postman/postman-collection-fork.
Community errors amplified spread some packages bundled only staging code, missing the whole worm, limiting damage.
Impact and Urgent Fixes
The assault hit high-profile projects: AsyncAPI’s CLI branch deployed malware; ENS, Zapier, and others leaked build secrets.
Firms responded quickly PostHog and Postman posted status updates and rotated keys. GitLab flagged widespread npm risks; Wiz tallied 25,000+ exposed repos across 500 users.
Teams face credential theft in CI/CD pipelines, enabling further breaches. Quick audits reveal infections via suspicious repos or downloads.
Defend now:
- Scan dependencies for Shai-Hulud indicators; revoke npm/GitHub tokens.
- Rotate all secrets; turn off postinstall scripts in CI.
- Pin versions, enforce MFA, and use tools like Aikido’s Safe-Chain.
- Hunt “Sha1-Hulud: The Second Coming” repos; migrate to trusted publishing.
This wave underscores npm’s fragility amid token deadlines. Developers must harden habits to starve future worms.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://thecybernews.com/shai-hulud-ravages-npm-ecosystem/&media=https://i0.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEU9PUfR2whGvrow3GEIGC6Ao8FXMXVeic5O-WP672ZnvWHsVh1iXMG9GSV4C6x8M4EQQ2M3tiK21kOROPWDqch1LI_EUyXxA9MF0JWxUi-mieBUHFUm0TGyJQnVLXUivR4Gkp76OE7AukEkYb2XnH4xAkJ-QkD2b-6a-uqagrCL7SRt_ZUqNx2eo1DDCV/s1600/Shai-Hulud%20Ravages%20N..._imresizer.webp?resize=1600,900&ssl=1&description=Developers woke to alarms on November 24, 2025, as Shai-Hulud malware resurfaced in a bolder attack. This "Second Coming" affected over){kind=link}