Sha1-Hulud 2.0 is an aggressive evolution of the September 2025 Shai-Hulud npm supply chain attack. This second wave introduces preinstall-phase execution, enabling malware to run automatically during dependency installation, bypassing traditional static code scans. The campaign leverages compromised maintainer accounts to publish trojanized npm packages, impacting major projects like Zapier, ENS Domains, PostHog, and Postman
Like the Shai-Hulud attack that came to light in September 2025, the latest activity also publishes stolen secrets to GitHub, this time with the repository description: "Sha1-Hulud: The Second Coming."
Impact
- Over 25,000+ GitHub repositories hijacked.
- Cross-victim exfiltration observed (victim secrets pushed to unrelated repos).
- Zero human interaction required (preinstall execution guarantees compromise on build servers).
- Dual-purpose payload: credential theft + destructive fallback (home directory wipe).
- Bypasses static analysis tools, making detection harder.
Key Technical Details:
Initial Infection Vector:
- Malicious npm packages uploaded between Nov 21–23, 2025.
- Injected scripts: setup_bun.js and bun_environment.js in package.json preinstall phase.
Payload Actions:
- Registers infected machine as a self-hosted GitHub Actions runner named SHA1HULUD.
- Adds malicious workflow .github/workflows/discussion.yaml enabling remote command execution.
- Exfiltrates GitHub Actions secrets, NPM tokens, and cloud credentials (AWS/GCP/Azure) using TruffleHog.
- Encodes stolen data with triple Base64 layers before upload.
Propagation:
- Fetches up to 100 npm packages linked to a valid token, injects malicious scripts, bumps versions, and republishes.
- Searches GitHub for beacon phrase “Sha1-Hulud: The Second Coming” to re-seed victims.
Escalation & Sabotage:
- If unable to exfiltrate credentials, executes wiper-like contingency, deleting entire home directory.
- Attempts root privilege escalation via Docker mounting and malicious sudoers file
Malicious Repositories Characteristics:
These GitHub repositories could be identified using several patterns:
the description is Sha1-Hulud: The Second Coming
- the name is a randomly generated string of 18 characters such as zl8cgwrxf1ufhiufxq or bq1g6jmnju2xpuii6u
- the filename cloud.json, containing a JSON document with the detected AWS, Azure, and GCP secrets
- the filename contents.json, containing a JSON document with system information, the token GitHub used for exfiltration, and its associated metadata such as the login or the email
- the filename environment.json, containing a JSON document with environment variables
- the filename actionsSecrets.json, containing a JSON document with the secrets exfiltrated from GitHub actions
- the filename truffleSecrets.json, containing a JSON document with a list of secrets detected locally using TruffleHog Open Source
Mitigation and Recommendations:
Immediate Actions:
- Audit all npm dependencies for compromised versions.
- Remove infected packages and rotate all credentials (NPM, GitHub, cloud).
- Review .github/workflows/ for suspicious files like discussion.yaml or unexpected branches.
Preventive Measures:
- Enforce 2FA and short-lived tokens for npm publishing.
- Implement trusted publishing and provenance attestations.
- Monitor for anomalous preinstall scripts and GitHub Actions runners
Integrity360 are actively investigating this incident and will continue to update this post as new information becomes available.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.