Shai-Huluda, a self-replicating npm worm named after the sandworms in Dune, had struck again.
This time, the attack was devastating in scale and sophistication, compromising over 800 npm packages with a combined 132 million monthly downloads across the ecosystem.
The timing proved particularly strategic. The attack occurred just weeks before npm’s December 9 deadline to revoke classic tokens, a move designed to combat supply-chain attacks.
Many developers remained unprepared with trusted publishing alternatives, making this window an ideal opportunity for attackers to maximize impact.
How the Worm Spreads
According to Aikido Security, Shai-Hulud operates with ruthless efficiency. Once installed on a developer’s system, the malware automatically executes during package installation, even before the installation completes. The worm then deploys multiple malicious techniques simultaneously.
First, it uses TruffleHog to scan for exposed secrets, including API keys, authentication tokens, GitHub credentials, and cloud access tokens.
Any sensitive information discovered is exfiltrated to a public GitHub repository labeled with the theatrical description: “Sha1-Hulud: The Second Coming.” Researchers have already identified 26,300 compromised repositories created by the attackers.
Critical Package Information
| Organization | Package Count | Notable Packages | Monthly Downloads | Severity |
|---|---|---|---|---|
| AsyncAPI | 36 | @asyncapi/cli, @asyncapi/generator, @asyncapi/parser | High | Critical |
| PostHog | 50+ | posthog-js, @posthog/nextjs, @posthog/clickhouse | High | Critical |
| Zapier | 40+ | @zapier/zapier-sdk, @zapier/ai-actions, @zapier/eslint-plugin-zapier | High | Critical |
| ENS (Ethereum Name Service) | 60+ | @ensdomains/ensjs, @ensdomains/ens-contracts, ethereum-ens | Medium | Critical |
| Postman | 35+ | @postman/postman-collection-fork, @postman/csv-parse, @postman/postman-mcp-server | High | Critical |
| Voiceflow | 80+ | @voiceflow/api-sdk, @voiceflow/widget, @voiceflow/common | High | Critical |
| Other Namespaces | 500+ | Various open-source and utility packages | Variable | Critical |
Second, the worm attempts to propagate itself by publishing malicious copies to npm, allowing it to chain-infect additional packages and developers.
If authentication fails, the malware wipes files from the user’s home directory, a scorched-earth tactic designed to cause maximum damage.
This iteration showcases a higher level of sophistication than previous waves. The worm now installs bun (a JavaScript runtime) via setup_bun.js, then executes the actual malware payload through bun_environment.js.
Rather than using hardcoded repository names, attackers now generate random repository identifiers, complicating attribution and detection.
Critically, the attack scope expanded dramatically. Shai-Hulud now targets up to 100 npm packages per infection, up from 20 in previous campaigns.
Defenders also discovered that some compromised packages contained staging code but lacked the full worm payload, suggesting operational mistakes by attackers that may have limited impact in certain instances.
The attack compromised packages from major technology organizations, including AsyncAPI (36 packages), PostHog (numerous analytics packages), Zapier (multiple SDK and plugin components), Postman (collection and utility packages), ENS (Ethereum Name Service packages), and countless smaller organizations.
The AsyncAPI team confirmed that attackers had even created a malicious branch in their CLI repository, suggesting they may have compromised GitHub credentials directly.
With 132 million affected downloads, the potential blast radius extends across thousands of organizations, many of which are unaware that their systems may already contain the worm.
The npm community’s vulnerability stems partly from dependency chains so deep that developers rarely audit all transitive packages.
Combined with inadequate secret management practices, supply-chain attacks remain devastatingly effective.
Organizations must recognize that package installation is no longer merely administrative; it’s a critical security event requiring active threat monitoring and credential protection.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.