Dead Man’s Switch–Triggered npm Supply Chain Attack Fuels Widespread Malware Campaigns

GitLab’s Vulnerability Research team has uncovered an active, large-scale supply chain attack spreading destructive malware through the npm ecosystem using an evolved variant of the Shai-Hulud malware.

The campaign represents a significant escalation in supply chain threats, featuring a particularly dangerous mechanism: a “dead man’s switch” that destroys user data if the malware’s infrastructure is disrupted.

This destructive payload transforms what would typically be a credential-stealing operation into a potential mass casualty incident if remediation attempts are made, creating a dangerous dilemma for security teams responding to the attack.

The malware propagates using worm-like behavior that automatically infects additional packages maintained by compromised developers, expanding its reach exponentially across the npm ecosystem.

Multiple infected packages have been identified, though the true scope remains unknown due to the autonomous propagation mechanism.

How The Attack Operates

The infection begins through a carefully engineered multi-stage loading process embedded in package.json preinstall scripts.

Infected packages appear to install the legitimate Bun JavaScript runtime through setup_bun.js.

However, this loader actually establishes the malware’s execution environment and launches a heavily obfuscated 10MB payload.

This layered approach provides evasion on multiple fronts: the initial loader appears innocuous.

At the same time, the malicious code is both large and obfuscated, making manual inspection difficult.

Once executed, the malware systematically harvests credentials from GitHub, npm, AWS, GCP, and Azure using official SDKs and by scanning configuration files.

The attacker also downloads Trufflehog, a legitimate security tool, to monitor home directories for API keys, passwords, and secrets hidden throughout configuration files and git history.

Stolen data is exfiltrated to attacker-controlled GitHub repositories marked with the description “Sha1-Hulud: The Second Coming,” creating a resilient network where compromised systems share access tokens if initial tokens are invalidated.

Using harvested npm tokens, the malware then republishes infected versions of every package maintained by victims, incrementing version numbers to ensure installations pull malicious updates.

This creates exponential propagation as new victims’ packages become infection vectors for additional targets.

The Destructive Payload

The most alarming aspect is the dead man’s switch mechanism that continuously monitors access to both GitHub and npm infrastructure.

If an infected system loses access to both channels simultaneously, it immediately triggers data destruction.

On Windows systems, the malware attempts to delete all user files and overwrite disk sectors using cipher commands. On Unix systems, it uses shred to overwrite files before deletion irreversibly.

This creates a catastrophic scenario: if GitHub mass-deletes malware repositories or npm bulk-revokes compromised tokens, thousands of infected systems could simultaneously destroy user data across both platforms.

Each compromised machine independently monitors access and will trigger file destruction upon detecting takedown attempts, effectively weaponizing remediation efforts.

Security teams can detect the malware by monitoring for setup_bun.js files, suspicious Bun installation commands, the .truffler-cache directory, and associated destructive payload commands.

Organizations using GitLab Ultimate can leverage Dependency Scanning to flag infected packages before deployment.

As the investigation continues, safe remediation strategies must balance threat containment with the risk of triggering the destructive payload.