Massive NPM supply chain attack dubbed Shai Hulud 2 actively exploiting packages

A sophisticated supply chain attack has compromised between 492 and a 1000 npm packages, depending on sources of reporting in what threat actors labeled "Shai Hulud: The Second Coming,". 

The attack began on November 21, 2025 and was detected on November 24, 2025, is the second major wave of the self-replicating Shai Hulud worm that first emerged in September 2025. The attack used over 350 compromised npm maintainer accounts to inject malicious code into widely-used packages from major organizations including Zapier, ENS Domains, PostHog, Postman, AsyncAPI, and Voiceflow. The attack occurring just before npm's December 9 deadline to revoke legacy classic tokens, exploiting a window when many developers had not yet migrated to trusted publishing methods.

The attack uses a two-stage payload delivery system during the npm preinstall phase, expanding its reach into both development machines and CI/CD pipelines. The malicious code deploys through a file named setup_bun.js, which installs or locates the Bun runtime environment before executing the primary payload contained in bun_environment.js. Once activated, the malware uses TruffleHog credential scanning tools to harvest sensitive authentication materials from infected environments. 

The worm automatically authenticates to npm registries using stolen credentials, injects malicious code into other packages maintained by compromised accounts, and publishes new infected versions. 

The malware publishes stolen credentials to randomly-named GitHub repositories marked with the description "Sha1-Hulud: The Second Coming," with security researchers identifying over 25,000 compromised repositories growing at approximately 1,000 new repositories every 30 minutes during peak activity. The exposed data includes:

• GitHub Personal Access Tokens (PATs)
• npm authentication tokens
• Amazon Web Services (AWS) credentials
• Google Cloud Platform (GCP) access keys
• Microsoft Azure authentication tokens
• API keys and secrets
• SSH private keys
• CI/CD pipeline secrets
• Environment variables
• Local workspace configuration files

The malware demonstrated destructive capabilities by implementing a wiper function that overwrites the victim's entire home directory if it fails to authenticate with GitHub or npm, cannot create repositories, or is unable to establish an exfiltration channel. 

Affected packages include:

• @postman/tunnel-agent,
• posthog-node,
• @asyncapi/specs,
• @asyncapi/openapi-schema-parser,
• @zapier/zapier-sdk,
• and @ensdomains/ensjs, 

along with hundreds of supporting libraries across the Zapier, PostHog, AsyncAPI, Postman, ENS Domains, Voiceflow, and other ecosystems. The attack is one of the most severe JavaScript supply chain compromises observed to date, directly linked to the earlier s1ngularity/Nx compromise campaign from August 2025. The Cybersecurity and Infrastructure Security Agency (CISA) issued advisories about the broader Shai Hulud threat campaign.

Organizations are advised to immediately scan all development endpoints and CI/CD systems for affected packages, remove compromised versions, and rotate all credentials including GitHub tokens, npm authentication tokens, cloud service credentials, and SSH keys. Security teams should audit GitHub repositories for unauthorized content marked "Shai-Hulud" or suspicious branches, review .github/workflows directories for malicious workflow files such as "shai-hulud-workflow.yml," and monitor for unexpected npm package publications. 

Pinning package versions is an excellent control and if possible organizations should consider private npm repositories for their development efforts.