Ethical Hacking News
Thousands of GitHub repositories have been infected by a new wave of devastating cyber-attacks via malicious npm packages. The attackers are believed to be utilizing a self-propagating malware targeting node package managers (npm), leaving thousands of developers exposed to malware and compromising sensitive information.
More than 25,000 GitHub repositories have been infected with malware, exposing thousands of developers to threats. The attackers used self-propagating malware targeting node package managers (npm) to spread the infection. The malicious code was executed during the pre-install phase, increasing potential exposures in build and runtime environments. Major companies with thousands of weekly downloads have been affected, including Zapier, AsyncAPI, and Postman. Security teams are advised to clear the npm cache, rotate credentials, and harden development pipelines to mitigate the attack.
A new wave of devastating cyber-attacks has struck GitHub repositories, leaving thousands of developers exposed to malware and compromising sensitive information. The attackers, believed to be utilizing a self-propagating malware targeting node package managers (npm), have infected more than 25,000 repositories within three days.
The attack, dubbed "Shai-Hulud" for the frequent references to the Dune worm in published data, first emerged in September and has since gained significant attention from cybersecurity experts. According to Wiz researchers, who identified the malware, the latest attacks operate similarly to the initial variant – scanning infected hosts for secrets which the malware then publishes to victims' own repositories.
The malicious code is executed during the pre-install phase, significantly increasing potential exposures in build and runtime environments. This new variant of the Shai-Hulud worm has been trojanized npm packages by November 23, with attackers targeting numerous high-profile development platforms such as Zapier, AsyncAPI, ENS Domains, PostHog, and Postman.
These affected packages include those provided by major companies that have thousands of weekly downloads. The pace at which the worm is spreading makes cleanup a challenge for GitHub, as the platform actively deletes compromised repositories; however, more than 25,000 repositories had published their own secrets as of September 24, with 1,000 more being added every 30 minutes over "the last couple of hours," Wiz said on Monday morning.
The wormable malware spread via compromised npm packages. Once installed, it would scan infected hosts for AWS, GCP, Azure, and GitHub credentials before publishing them to users' own repositories. Security teams are advised by Wiz to clear the npm cache and roll back dependencies to builds published before November 21. They should also rotate their credentials, manually hunt for signs of compromise (new repos, suspicious commits referencing "hulud," and new npm publications), and harden development pipelines.
The campaign borrows much from the infection chain of the initial September variant, with attackers gaining access to npm maintainer accounts and publishing trojanized versions of their packages, appearing to originate from the official source. Developers then unwittingly download and run the malicious code, which backdoors their machines and scans for credentials and CI/CD secrets, which are then published to the user's own repositories.
Following the first Shai-Hulud attacks, which infected more than 500 packages in total, and GitHub having to scour its users' repos for exposed secrets, the development platform announced a tightening of security regarding npm. It responded by overhauling authentication protocols, switching from time-based one-time password 2FA to a FIDO-based method, deprecating legacy classic tokens, and making other similar changes.
Npm itself also announced that it would disable classic token creation, and all existing classic tokens will be revoked on December 9. The recent attacks have highlighted the need for better security measures in the development community, as well as the importance of staying up-to-date with the latest patches and updates.
The increasing frequency of supply chain attacks targeting the npm registry has been a pressing concern for developers and cybersecurity experts alike over the past year, with fresh attacks discovered frequently. In response to these growing concerns, GitHub has tightened its security regarding npm, and npm itself is taking steps to improve its own security measures.
In this latest wave of devastating cyber-attacks, thousands of developers have been left exposed to malware and compromising sensitive information. The attackers' use of self-propagating malware targeting node package managers (npm) has highlighted the need for better security measures in the development community. As the situation continues to unfold, it is essential that developers take proactive steps to protect themselves from these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-devastating-wave-of-cyber-attacks-hits-GitHub-repositories-via-malicious-npm-packages-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/24/shai_hulud_npm_worm/
https://www.msn.com/en-us/technology/cybersecurity/shai-hulud-worm-returns-belches-secrets-to-25k-github-repos/ar-AA1R2Z16
https://phoenix.security/shai-hulud-second-coming-npms-biggest-supply-chain-breach/
Published: Mon Nov 24 09:21:39 2025 by llama3.2 3B Q4_K_M
