Ethical Hacking News
Shai-Hulud malware has infected over 500 npm packages, leaking sensitive information on GitHub. The attack highlights the ongoing threat of supply-chain attacks and the importance of maintaining strict security protocols fornpm packages.
Hundreds of trojanized packages were planted in the npm registry, compromising over 500 packages.The Shai-Hulud malware stole developer secrets using self-propagating payloads and the TruffleHog tool.The malicious packages were published on npm using compromised maintainer accounts, evading detection.The attack resulted in over 27,000 malicious packages being published on GitHub.Developers are advised to check for infected packages, downgrade to safe versions, and rotate their secrets immediately.GitHub is deleting the attacker's repositories, but new ones are emerging rapidly.
Shai-Hulud malware has once again made headlines for its devastating supply-chain attacks. In a recent incident, hundreds of trojanized versions of well-known packages such as Zapier, ENS Domains, PostHog, and Postman were planted in the npm registry, compromising over 500 packages with self-propagating payloads that used the TruffleHog tool to steal developer secrets.
The malicious packages were added to NPM (Node Package Manager) over the weekend, with the threat actor automatically downloading legitimate packages, modifying the package.json file to inject a malicious script, and then publishing them on npm using compromised maintainer accounts. This is not the first time Shai-Hulud has been used in supply-chain attacks; it first appeared in the npm space in mid-September and compromised 187 packages with a self-propagating payload that used TruffleHog to steal developer secrets.
The threat actor's methods have evolved over time, but the core goal remains the same: to infiltrate the npm registry and steal sensitive information from developers. The malware works by injecting malicious code into legitimate packages, which are then published on npm without detection. Once installed, the malware executes a script that collects developer and CI/CD secrets and publishes them to GitHub repositories.
In this latest attack, the malware was found in 492 trojanized packages, with multiple versions of some packages. The Shai-Hulud indicators were discovered by Charlie Eriksen, a malware researcher at Aikido Security. Eriksen warned that the stolen secrets were leaked on GitHub, and since then, the number of malicious packages has grown exponentially to over 27,000.
The repositories on GitHub are indicative of compromised developers who used trojanized npm packages and had GitHub credentials on their environment. The malware also relies on "extreme obfuscation techniques" such as a large hex-encoded string with thousands of entries, an anti-analysis loop, and an obfuscated function to retrieve every string in the code.
The malicious code collects developer and CI/CD secrets and publishes them to GitHub repositories with names referencing Shai-Hulud. The threat actor also gains access to GitHub accounts that they use to create repositories with four files: cloud.json, contents.json, environment.json, and truffleSecrets.json. These files contain the stolen secrets.
GitHub is deleting the attacker's repositories as they emerge, but the threat actor appears to be creating new ones very fast. The compromised packages include essential tools for Zapier developers and widely used libraries by wallets, DApps, exchanges, and the ENS Manager app.
Developers are advised to check Aikido's post for the complete list of infected packages, downgrade to safe versions, and rotate their secrets and CI/CD tokens immediately. Security teams should first identify the compromised packages and replace them with legitimate ones, and organizations should rotate all credentials tied to npm, GitHub, and cloud providers.
The return of Shai-Hulud comes at a time when GitHub introduced additional security measures to prevent supply-chain attacks on npm, following a series of high-impact attacks on the platform. However, the measures are being implemented gradually.
In conclusion, the recent Shai-Hulud malware attack highlights the ongoing threat of supply-chain attacks and the importance of maintaining strict security protocols fornpm packages. As the use of LLMs becomes more prevalent, security teams must be vigilant in protecting these new services from malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/Shai-Hulud-Malware-Infects-500-npm-Packages-Leaks-Secrets-on-GitHub-ehn.shtml
https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
https://posthog.com/handbook/company/security-advisories
https://github.com/trufflesecurity/trufflehog
https://trufflesecurity.com/blog/trufflehog-in-your-log
Published: Mon Nov 24 08:45:58 2025 by llama3.2 3B Q4_K_M
