CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

First reported
Last updated
5 unique sources, 11 articles

Summary

Hide ▲

The Shai-Hulud attack, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success. A second wave of attacks, dubbed Sha1-Hulud, has compromised hundreds of npm packages. This new campaign introduces a variant that executes malicious code during the preinstall phase, increasing potential exposure in build and runtime environments. The attackers add a preinstall script (setup_bun.js) in the package.json file, which installs or locates the Bun runtime and runs a bundled malicious script (bun_environment.js). The malicious payload registers the infected machine as a self-hosted runner named SHA1HULUD and adds a workflow called .github/workflows/discussion.yaml. The malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables. Wiz researchers identified over 25,000 affected repositories across about 350 unique users, with 1,000 new repositories being added consistently every 30 minutes in the last couple of hours. The second wave is more aggressive, with the malware attempting to destroy the victim's entire home directory if it fails to authenticate or establish persistence. The wiper-like functionality is triggered only if the malware cannot authenticate to GitHub, create a GitHub repository, fetch a GitHub token, or find an npm token. Organizations are urged to scan all endpoints for impacted packages, remove compromised versions, rotate all credentials, and audit repositories for persistence mechanisms. The new Shai-Hulud worm targets popular projects like Zapier and PostHog. The new version can infect up to 100 npm packages, compared to 20 in the previous version. The malware has an unusual structure, split into two files to evade detection. The first file checks for and installs a non-standard 'bun' JavaScript runtime, while the second file is a massive malicious source file that publishes stolen data to .json files in a randomly named GitHub repository. The size and structure of the file confuse AI analysis tools, causing inconsistent analysis results. The worm is scaling rapidly, with 1000 new repositories discovered every 30 minutes. The worm poses a significant risk to the software industry and end users, potentially leading to data breaches, ransomware footholds, and a loss of trust in the npm ecosystem. The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. A Maven Central package named org.mvnpm:posthog-node:4.18.1 was identified to embed the same two components associated with Sha1-Hulud: the 'setup_bun.js' loader and the main payload 'bun_environment.js'. The Maven Central package is not published by PostHog itself but is generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The 'second coming' of the supply chain incident has targeted developers globally to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens. The latest iteration of the attack is more stealthy, aggressive, scalable, and destructive. The attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens. The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident. This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages. It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one. The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. The self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time. Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack. The vulnerability used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run. A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day. It's assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm. As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year. This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation. Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian's analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025. Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break. A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours. The techniques attackers are using are constantly evolving. Most of these attacks don't rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed.

Timeline

  1. 24.11.2025 15:03 4 articles · 3d ago

    Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

    The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. A Maven Central package named org.mvnpm:posthog-node:4.18.1 was identified to embed the same two components associated with Sha1-Hulud: the 'setup_bun.js' loader and the main payload 'bun_environment.js'. The Maven Central package is not published by PostHog itself but is generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The 'second coming' of the supply chain incident has targeted developers globally to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens. The latest iteration of the attack is more stealthy, aggressive, scalable, and destructive. The attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens. The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident. This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages. It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one. The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. The self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time. Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack. The vulnerability used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run. A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day. It's assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm. As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year. This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation. Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian's analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025. Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break. A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours. The techniques attackers are using are constantly evolving. Most of these attacks don't rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed.

    Show sources
    Open in new tab
  2. 16.09.2025 23:02 2 articles · 2mo ago

    Shai-Hulud Self-Replication Mechanism Detailed

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab
  3. 16.09.2025 08:00 4 articles · 2mo ago

    Shai-Hulud Attack Compromises Over 40 npm Packages

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab
  4. 06.09.2025 17:11 1 articles · 2mo ago

    Nx Team Publishes Root Cause Analysis and Adopts New Security Measures

    The Nx team published a root cause analysis detailing the pull request title injection and insecure use of pull_request_target. Nx has adopted NPM's Trusted Publisher model and added manual approval for PR-triggered workflows to prevent future compromises.

    Show sources
    Open in new tab
  5. 28.08.2025 13:36 5 articles · 3mo ago

    Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

    The Shai-Hulud worm emerged just days after a broad phishing campaign that spoofed NPM and asked developers to update their multi-factor authentication login options. The Shai-Hulud worm was first detected on September 14, 2025, around 17:58 UTC. The Shai-Hulud worm briefly compromised at least 25 NPM code packages managed by CrowdStrike. The Shai-Hulud worm spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account. The Shai-Hulud worm deliberately skips Windows systems, assuming the victim is working in a Linux or macOS environment. The Shai-Hulud worm uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. The Shai-Hulud worm attempts to create new GitHub actions and publish any stolen secrets. The Shai-Hulud worm's spread seems to have waned in recent hours but could restart if a new victim is infected. The web address used by the attackers to exfiltrate collected data was disabled due to rate limits. The Shai-Hulud worm is still propagating, although its spread has slowed down. The Shai-Hulud worm can lay dormant and restart the spread if a new victim is infected. The Shai-Hulud worm's spread could be significantly reduced by implementing a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

IndonesianFoods Worm Floods npm with Over 100,000 Fake Packages

A large-scale spam campaign, dubbed IndonesianFoods, has flooded the npm registry with over 100,000 fake packages since early 2024. The campaign uses a worm-like propagation mechanism that requires manual execution via 'node auto.js' or 'publishScript.js' to propagate. The packages reference each other as dependencies, creating a self-replicating network. The goal appears to be monetization through the Tea protocol, rather than traditional malicious activities like data theft. The campaign has been ongoing for nearly two years, highlighting a significant security blind spot in automated detection systems. The malicious script executes in an infinite loop, removing 'private': true in package.json, generating random version numbers, and publishing new spam packages to npm. A single execution can publish approximately 12 packages per minute, 720 per hour, or 17,000 per day. The attackers have inflated their 'impact scores' and claimed Tea token rewards for artificial ecosystem value, with one package README boasting about these earnings. The campaign has overwhelmed multiple security data systems, demonstrating unprecedented scale, and has triggered a massive wave of vulnerability reports.

Open in new tab

PhantomRaven npm credential harvesting campaign leverages invisible dependencies

An ongoing npm credential harvesting campaign dubbed PhantomRaven has been active since August 2025. The malware steals npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. At least 126 npm packages have been infected, resulting in over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code in externally hosted packages, evading npm security scans. The campaign exploits AI hallucinations to create plausible-sounding package names, a technique known as slopsquatting. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub.

Open in new tab

Malicious npm packages targeting Windows, macOS, and Linux systems

Ten malicious npm packages were discovered that deliver an information stealer targeting Windows, macOS, and Linux systems. The packages, uploaded to the npm registry on July 4, 2025, have collectively accumulated over 9,900 downloads. The malware uses multiple layers of obfuscation and a fake CAPTCHA to evade detection and harvests credentials from system keyrings, browsers, and authentication services. The packages are still available on npm despite being reported to npm. The attack aims to steal sensitive information, including credentials and session cookies, which can provide unauthorized access to corporate resources.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced on OpenVSX with three new VSCode extensions, downloaded over 10,000 times. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure.

Open in new tab

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab