A massive resurgence of the Sha1-Hulud supply chain malware has struck the open-source ecosystem, compromising over 800 npm packages and tens of thousands of GitHub repositories in a campaign the attackers have dubbed “The Second Coming.”
This sophisticated wave targets high-profile dependencies from major organizations, including AsyncAPI, Postman, PostHog, Zapier, and ENS, affecting an estimated 132 million monthly downloads.
The attack leverages the Bun runtime environment to bypass traditional detection methods and introduces a catastrophic fallback mechanism capable of wiping victim data.
The most alarming evolution in this variant is its aggressive volatility. While the primary goal remains credential theft, the malware includes a destructive fail-safe that triggers if it cannot establish persistence or exfiltrate data.
If the malware fails to authenticate to GitHub, create a repository, fetch a GitHub token, or locate an NPM token, it executes a wiper routine.
Sha1-Hulud Supply Chain Attack
This logic attempts to destroy the victim’s entire home directory by deleting every writable file owned by the current user. This shift indicates that if Sha1-Hulud cannot steal credentials or secure an exfiltration channel, it defaults to catastrophic data destruction to eliminate evidence or cause disruption.
The attack chain first observed by Aikido Security begins with a file named setup_bun.js, which installs the Bun runtime to execute the core malicious payload contained in bun_environment.js. This method allows the malware to operate outside the standard Node.js execution path, often evading static analysis tools.
Once active, the worm utilizes TruffleHog to scan the infected environment for API keys and tokens. Unlike previous versions that used hardcoded repository names, this iteration creates randomly named GitHub repositories to store stolen secrets.
These repositories are identified by the description “Sha1-Hulud: The Second Coming,” with security researchers currently identifying approximately 26,300 exposed repositories.
Idan Dartikman, co-founder and CTO of Koi Security, emphasized the escalation in tactics. “This wave is larger, spreads more quickly, and is more violent than the last,” Dartikman stated. “There’s also a big security change coming to NPM, and it is very possible that the threat actor worked fast to infect as many victims as possible before that.”
The timing of this campaign appears calculated to precede npm’s scheduled revocation of classic tokens on December 9, 2025. The compromise has affected critical infrastructure software, including significant portions of the AsyncAPI and Postman ecosystems.
Security teams are advised to immediately audit dependencies for the specific file indicators and rotate all credentials exposed in CI/CD environments.
| Victim Organization | Affected Scope/Package Examples | Estimated Impact |
|---|---|---|
| AsyncAPI | @asyncapi/cli,@asyncapi/generator,asyncapi-preview | Critical development tools used for event-driven architectures. |
| PostHog | @posthog/cli,@posthog/node,posthog-js | Analytics data ingestion and plugin infrastructure. |
| Postman | @postman/collection-fork,@postman/tunnel-agent | API development and testing utilities. |
| Zapier | @zapier/zapier-sdk,zapier-platform-core | Integration and automation SDKs. |
| ENS Domains | @ensdomains/ensjs,@ensdomains/thorin | Ethereum Name Service frontend and contract interactions. |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
