GitLab’s security team has discovered a severe, ongoing attack spreading dangerous malware through npm, the world’s most extensive code library.
The malware uses an alarming “dead man’s switch,” a self-destruct trigger that threatens to erase user data if the attack is shut down.
Security researchers identified multiple infected packages containing a destructive malware called Shai-Hulud.
Unlike typical malware, this variant spreads like a worm, automatically infecting other software packages owned by compromised developers.
Most alarmingly, the malware includes a dangerous feature: if its communication channels are cut off, it will destroy the victim’s files.
“We verified that GitLab was not using any malicious packages,” the company stated, while warning the broader security community of the active threat.
How the Attack Works
The malware enters systems through disguised installation scripts. When developers install an infected package, a file called setup_bun.js runs automatically.
It appears to install Bun, a legitimate programming tool, but actually launches hidden malicious code buried in a 10 megabyte obfuscated file.
Once activated, the malware searches for valuable secrets across the victim’s computer, GitHub access tokens, Amazon and Microsoft cloud credentials, and npm publishing passwords.
It even downloads a security scanning tool to hunt through files and git history for hidden API keys.
The stolen credentials are uploaded to specially marked GitHub repositories with the phrase “Sha1-Hulud: The Second Coming” in their descriptions.
These repositories function as secure storage for stolen data. Cleverly, if one infected machine lacks sufficient access, it searches GitHub for repositories created by other compromised systems and retrieves tokens from them, creating a self-sustaining criminal network.
Using stolen npm credentials, the malware then infects all packages maintained by the victim, injecting its malicious code into each one and republishing them. This causes the infection to spread exponentially.
The Dangerous Dead Man’s Switch
The most terrifying component is the destructive payload. The malware continuously checks whether it can reach GitHub and npm.
If it loses access to both platforms simultaneously, which could happen if platforms detect and shut down the attack. The malware triggers immediate destruction.
On Windows computers, it attempts to delete all user files and overwrite the hard drive. On Linux and Mac systems, it overwrites files with random data before deletion, making recovery virtually impossible.
This creates a nightmare scenario: if GitHub or npm takes action to stop the attack by deleting repositories or revoking compromised tokens, thousands of infected machines could simultaneously destroy their users’ data.
This attack represents a new level of supply chain danger. It’s not just stealing data; it’s holding user files hostage, threatening destruction if the attack infrastructure is disrupted.
Developers using npm packages are urged to monitor their systems for suspicious activity and change all credentials immediately.
GitLab continues investigating to understand the full scope of compromised packages.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.