New Worm Variant Compromises Thousands of NPM Packages and CI Environments

Shai Hulud 2 New Worm Variant Compromises Thousands of NPM Packages and CI Environments

2025-11-26 From Sebastian Gerstl | Translated by AI 5 min Reading Time

A new variant of the Shai Hulud malware worm is hitting the NPM ecosystem even harder than in September 2025, affecting known packages, CI pipelines and cloud-related workflows. Teams should check dependencies and rotate secrets immediately.

The new variant of the Shai Hulud worm, which is now infesting the npm repository, has already captured over 27,000 records of access data.(Image: freely licensed / Pixabay) — The new variant of the Shai Hulud worm, which is now infesting the npm repository, has already captured over 27,000 records of access data.
(Image: freely licensed / Pixabay)

The new Shai Hulud variant shows how quickly a supply chain attack can evolve. The worm is once again infecting hundreds of NPM packages, including versions of Zapier, ENS, PostHog, AsyncAPI and Postman. The first suspicious uploads appeared around the weekend of November 21-23, 2025.

In contrast to the first wave in September 2025, the current version is more aggressive and eliminates vulnerabilities that slowed the spread of the first outbreak. Security analysts report that over 27,000 credentials have been stolen so far and tens of thousands of GitHub repositories have been created for exfiltration.

Hybrid workflows on GitHub take on central roles. A prepared "Code Formatter" workflow searches accounts for secrets and uploads them as JSON. In parallel, other workflows enable the placement of a backdoor. Communication takes place via the discussion functions of the compromised repositories.

Many infected packages contain a preinstall script called setup_bun.js. It loads the JavaScript runtime Bun and launches malicious code that reads system information, executes TruffleHog and collects local tokens and cookies. The data is then automatically stored via GitHub.

The attackers increase automation. Instead of using a fixed repository, the new version creates randomly named repositories with the description "Sha1-Hulud: The Second Coming". The malware can now manipulate around 100 packages per infection chain.

Previous analyses show that platforms such as Linux, Windows and macOS are addressed by specific variants of the malicious code. The worm spreads in installed developer environments, build systems and adjacent cloud accounts as soon as compromised packages are installed.

The timing is no coincidence either. NPM is phasing out the classic Auth Tokens on December 9, 2025. Many projects have not yet switched to Trusted Publishing. Attackers are specifically exploiting this transition phase to obtain as many secrets as possible before the stricter controls take effect.

List of known infected repositories

According to Wiz and Koi, the following npm packages are infected by the worm (as of Tuesday, November 25, 2025, 3:20 p.m.):

@accordproject/concerto-analysis
@accordproject/markdown-docx
@accordproject/markdown-it-cicero
@actbase/css-to-react-native-transform
@actbase/native
@actbase/node-server
@actbase/react-absolute
@actbase/react-daum-postcode
@actbase/react-kakaosdk
@actbase/react-native-actionsheet
@actbase/react-native-devtools
@actbase/react-native-fast-image
@actbase/react-native-kakao-channel
@actbase/react-native-kakao-navi
@actbase/react-native-less-transformer
@actbase/react-native-naver-login
@actbase/react-native-simple-video
@actbase/react-native-tiktok
@alexcolls/nuxt-socket.io
@alexcolls/nuxt-ux
@aryanhussain/my-angular-lib
@asyncapi/avro-schema-parser
@asyncapi/bundler
@asyncapi/cli
@asyncapi/converter
@asyncapi/diff
@asyncapi/dotnet-rabbitmq-template
@asyncapi/edavisualiser
@asyncapi/generator
@asyncapi/generator-components
@asyncapi/generator-helpers
@asyncapi/generator-react-sdk
@asyncapi/go-watermill-template
@asyncapi/html-template
@asyncapi/java-spring-cloud-stream-template
@asyncapi/java-spring-template
@asyncapi/java-template
@asyncapi/keeper
@asyncapi/markdown-template
@asyncapi/modelina
@asyncapi/modelina-cli
@asyncapi/multi-parser
@asyncapi/nodejs-template
@asyncapi/nodejs-ws-template
@asyncapi/nunjucks-filters
@asyncapi/openapi-schema-parser
@asyncapi/optimizer
@asyncapi/parser
@asyncapi/php-template
@asyncapi/problem
@asyncapi/protobuf-schema-parser
@asyncapi/python-paho-template
@asyncapi/react-component
@asyncapi/server-api
@asyncapi/specs
@asyncapi/studio
@asyncapi/web-component
@caretive/caret-cli
@clausehq/flows-step-jsontoxml
@clausehq/flows-step-sendgridemail
@commute/bloom
@commute/market-data
@dev-blinq/ai-qa-logic
@dev-blinq/cucumber_client
@ensdomains/address-encoder
@ensdomains/blacklist
@ensdomains/buffer
@ensdomains/ccip-read-cf-worker
@ensdomains/ccip-read-dns-gateway
@ensdomains/ccip-read-router
@ensdomains/ccip-read-worker-viem
@ensdomains/content-hash
@ensdomains/curvearithmetics
@ensdomains/cypress-metamask
@ensdomains/dnsprovejs
@ensdomains/dnssec-oracle-anchors
@ensdomains/dnssecoraclejs
@ensdomains/durin
@ensdomains/durin-middleware
@ensdomains/ens-archived-contracts
@ensdomains/ens-avatar
@ensdomains/ens-contracts
@ensdomains/ensjs
@ensdomains/ensjs-react
@ensdomains/ens-test-env
@ensdomains/ens-validation
@ensdomains/eth-ens-namehash
@ensdomains/hackathon-registrar
@ensdomains/hardhat-chai-matchers-viem
@ensdomains/hardhat-toolbox-viem-extended
@ensdomains/mock
@ensdomains/name-wrapper
@ensdomains/offchain-resolver-contracts
@ensdomains/op-resolver-contracts
@ensdomains/react-ens-address
@ensdomains/renewal
@ensdomains/renewal-widget
@ensdomains/reverse-records
@ensdomains/server-analytics
@ensdomains/solsha1
@ensdomains/subdomain-registrar
@ensdomains/test-utils
@ensdomains/thorin
@ensdomains/ui
@ensdomains/unicode-confusables
@ensdomains/unruggable-gateways
@ensdomains/vite-plugin-i18next-loader
@ensdomains/web3modal
@everreal/web-analytics
@fishingbooker/browser-sync-plugin
@fishingbooker/react-swiper
@hapheus/n8n-nodes-pgp
@ifelsedeveloper/protocol-contracts-svm-idl
@ifings/design-system
@kvytech/cli
@kvytech/components
@kvytech/habbit-e2e-test
@kvytech/medusa-plugin-announcement
@kvytech/medusa-plugin-management
@kvytech/medusa-plugin-newsletter
@kvytech/medusa-plugin-product-reviews
@kvytech/medusa-plugin-promotion
@kvytech/web
@lessondesk/api-client
@lessondesk/babel-preset
@lessondesk/eslint-config
@lessondesk/schoolbus
@louisle2/core
@louisle2/cortex-js
@lpdjs/firestore-repo-service
@markvivanco/app-version-checker
@mcp-use/cli
@mcp-use/inspector
@mcp-use/mcp-use
@mparpaillon/connector-parse
@mparpaillon/imagesloaded
@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode
@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode
@orbitgtbelgium/orbit-components
@orbitgtbelgium/time-slider
@osmanekrem/error-handler
@posthog/agent
@posthog/ai
@posthog/automatic-cohorts-plugin
@posthog/bitbucket-release-tracker
@posthog/cli
@posthog/clickhouse
@posthog/core
@posthog/currency-normalization-plugin
@posthog/customerio-plugin
@posthog/databricks-plugin
@posthog/drop-events-on-property-plugin
@posthog/event-sequence-timer-plugin
@posthog/filter-out-plugin
@posthog/first-time-event-tracker
@posthog/geoip-plugin
@posthog/github-release-tracking-plugin
@posthog/gitub-star-sync-plugin
@posthog/heartbeat-plugin
@posthog/hedgehog-mode
@posthog/icons
@posthog/ingestion-alert-plugin
@posthog/intercom-plugin
@posthog/kinesis-plugin
@posthog/laudspeaker-plugin
@posthog/lemon-ui
@posthog/maxmind-plugin
@posthog/migrator3000-plugin
@posthog/netdata-event-processing
@posthog/nextjs
@posthog/nextjs-config
@posthog/nuxt
@posthog/pagerduty-plugin
@posthog/piscina
@posthog/plugin-contrib
@posthog/plugin-server
@posthog/plugin-unduplicates
@posthog/postgres-plugin
@posthog/react-rrweb-player
@posthog/rrdom
@posthog/rrweb
@posthog/rrweb-player
@posthog/rrweb-record
@posthog/rrweb-replay
@posthog/rrweb-snapshot
@posthog/rrweb-utils
@posthog/sendgrid-plugin
@posthog/siphash
@posthog/snowflake-export-plugin
@posthog/taxonomy-plugin
@posthog/twilio-plugin
@posthog/twitter-followers-plugin
@posthog/url-normalizer-plugin
@posthog/variance-plugin
@posthog/web-dev-server
@posthog/wizard
@posthog/zendesk-plugin
@postman/aether-icons
@postman/csv-parse
@postman/final-node-keytar
@postman/mcp-ui-client
@postman/node-keytar
@postman/pm-bin-linux-x64
@postman/pm-bin-macos-arm64
@postman/pm-bin-macos-x64
@postman/pm-bin-windows-x64
@postman/postman-collection-fork
@postman/postman-mcp-cli
@postman/postman-mcp-server
@postman/pretty-ms
@postman/secret-scanner-wasm
@postman/tunnel-agent
@postman/wdio-allure-reporter
@postman/wdio-junit-reporter
@quick-start-soft/quick-document-translator
@quick-start-soft/quick-git-clean-markdown
@quick-start-soft/quick-markdown
@quick-start-soft/quick-markdown-compose
@quick-start-soft/quick-markdown-image
@quick-start-soft/quick-markdown-print
@quick-start-soft/quick-markdown-translator
@quick-start-soft/quick-remove-image-background
@quick-start-soft/quick-task-refine
@seung-ju/next
@seung-ju/openapi-generator
@seung-ju/react-hooks
@seung-ju/react-native-action-sheet
@strapbuild/react-native-date-time-picker
@strapbuild/react-native-perspective-image-cropper
@strapbuild/react-native-perspective-image-cropper-2
@strapbuild/react-native-perspective-image-cropper-poojan31
@thedelta/eslint-config
@tiaanduplessis/json
@tiaanduplessis/react-progressbar
@trefox/sleekshop-js
@trigo/atrix
@trigo/atrix-acl
@trigo/atrix-elasticsearch
@trigo/atrix-mongoose
@trigo/atrix-orientdb
@trigo/atrix-postgres
@trigo/atrix-pubsub
@trigo/atrix-redis
@trigo/atrix-soap
@trigo/atrix-swagger
@trigo/bool-expressions
@trigo/eslint-config-trigo
@trigo/fsm
@trigo/hapi-auth-signedlink
@trigo/jsdt
@trigo/keycloak-api
@trigo/node-soap
@trigo/pathfinder-ui-css
@trigo/trigo-hapijs
@varsityvibe/api-client
@varsityvibe/validation-schemas
@zapier/ai-actions
@zapier/ai-actions-react
@zapier/babel-preset-zapier
@zapier/browserslist-config-zapier
@zapier/eslint-plugin-zapier
@zapier/mcp-integration
@zapier/secret-scrubber
@zapier/spectral-api-ruleset
@zapier/stubtree
@zapier/zapier-sdk
asyncapi-preview
atrix
atrix-mongoose
axios-builder
axios-cancelable
axios-timed
barebones-css
blinqio-executions-cli
bool-expressions
bun-plugin-httpfile
bytecode-checker-cli
bytes-to-x
calc-loan-interest
capacitor-plugin-apptrackingios
capacitor-plugin-purchase
capacitor-plugin-scgssigninwithgoogle
capacitor-purchase-history
capacitor-voice-recorder-wav
chrome-extension-downloads
claude-token-updater
coinmarketcap-api
command-irail
compare-obj
count-it-down
cpu-instructions
create-glee-app
create-hardhat3-app
create-mcp-use-app
crypto-addr-codec
designstudiouiux
devstart-cli
discord-bot-server
dotnet-template
drop-events-on-property-plugin
enforce-branch-name
eslint-config-trigo
eslint-config-zeallat-base
ethereum-ens
evm-checkcode-cli
exact-ticker
expo-audio-session
feature-flip
fittxt
flapstacks
flatten-unflatten
formik-error-focus
formik-store
fuzzy-finder
gate-evm-check-code2
gate-evm-tools-test
gatsby-plugin-cname
get-them-args
github-action-for-generator
gitsafe
go-template
haufe-axera-api-client
hopedraw
hope-mapboxdraw
hyperterm-hipster
image-to-uri
invoice
iron-shield-miniapp
ito-button
itobuz-angular
itobuz-angular-auth
jacob-zuma
jan-browser
jquery-bindings
just-toasty
kill-port
korea-administrative-area-geo-json-util
license-o-matic
lint-staged-imagemin
lite-serper-mcp-server
luno-api
manual-billing-system-miniapp-api
mcp-use
medusa-plugin-announcement
medusa-plugin-logs
medusa-plugin-momo
medusa-plugin-product-reviews-kvy
medusa-plugin-zalopay
mon-package-react-typescript
n8n-nodes-tmdb
nanoreset
next-circular-dependency
obj-to-css
okta-react-router-6
open2internet
orbit-boxicons
orbit-nebula-draw-tools
orbit-nebula-editor
orbit-soap
parcel-plugin-asset-copier
piclite
pico-uid
poper-react-sdk
posthog-docusaurus
posthog-js
posthog-node
posthog-plugin-hello-world
posthog-react-native
posthog-react-native-session-replay
ra-data-firebase
react-component-taggers
react-element-prompt-inspector
react-jam-icons
react-keycloak-context
react-library-setup
react-native-datepicker-modal
react-native-email
react-native-fetch
react-native-get-pixel-dimensions
react-native-jam-icons
react-native-log-level
react-native-phone-call
react-native-retriable-fetch
react-native-use-modal
react-native-view-finder
react-native-websocket
react-native-worklet-functions
react-qr-image
redux-forge
redux-router-kit
sa-company-registration-number-regex
sa-id-gen
scgs-capacitor-subscribe
scgsffcreator
set-nested-prop
shell-exec
shinhan-limit-scrap
skills-use
sort-by-distance
stoor
svelte-autocomplete-select
tcsp-draw-test
tenacious-fetch
test23112222-api
test-foundry-app
test-hardhat-app
token.js-fork
trigo-react-app
typeorm-orbit
undefsafe-typed
uplandui
url-encode-decode
vite-plugin-httpfile
web-types-htmx
web-types-lit
wenk
zapier-async-storage
zapier-platform-cli
zapier-platform-core
zapier-platform-legacy-scripting-runner
zapier-platform-schema
zapier-scripts
zuper-cli
zuper-sdk
zuper-stream

The number of apparently infected GitHub repositories continues to grow. Wiz records around 1,000 new repositories every 30 minutes, which were created exclusively to store stolen data. Some of the prominent packages affected have already been cleaned up, but the attack campaign continues.

Organizations should now systematically check whether compromised versions have been installed. This includes auditing all relevant dependencies, deleting affected node_modules folders and removing infected packages. Automatic updates should be temporarily deactivated until there is clarity.

Regardless of the previous findings, all GitHub, npm, cloud and CI/CD secrets must be rotated. It is also advisable to deactivate postinstall scripts in CI environments, strictly pin package versions and activate multi-factor authentication. The known lists of compromised packages from Wiz, Socket and other providers should be checked regularly.(sg)

Shai Hulud 2 New Worm Variant Compromises Thousands of NPM Packages and CI Environments

List of known infected repositories

Subscribe to the newsletter now

Don't Miss out on Our Best Content

Consent to the use of data for promotional purposes

Right of revocation