On November 24, 2025, researchers??a renewed supply-chain attack linked to?Shai-Hulud?malware, revealing that?numerous?npm?packages had been quietly?trojanized?following the?initial wave?of malicious activity in September. This second iteration involved compromised versions of popular packages uploaded between November 21, 2025,?and November 23, 2025,?with?additional?compromised packages continuing to surface at the time of writing.?
The malware in this wave is more sophisticated than the previous campaign, executing during the preinstall phase of npm via scripts such as setup_bun.js that drop a heavily obfuscated payload (bun_environment.js). Once executed, it scans the environment for developer secrets (including GitHub tokens, cloud credentials such as AWS, GCP, and Azure, and?npm?tokens) and exfiltrates them to attacker-controlled GitHub repositories, often with auto-generated names and descriptions referencing ¡°Shai-Hulud: The Second Coming.¡±?
The malware also acts like a worm, self-propagating by using stolen?npm?tokens from compromised maintainers to publish malicious versions of other packages under their accounts. If it?fails to?authenticate or exfiltrate secrets, it may?delete?the user¡¯s home directory.?
Package management ecosystems such as?npm?have been heavily targeted by threat actors recently and are likely to remain a prime focus for organizations that incorporate these tools into their development toolchain.?
Affected Code Packages
The?npm?software registry is the world’s largest package repository,?containing?more than 800,000 code packages with millions of downloads per day. As it is widely used in development environments, organizations that use?npm?as part of their development workflow are recommended to review this??for a list of affected packages that have been?identified?so far.?
Recommendations
Review GitHub Accounts for Malicious Repositories
In this campaign, thousands of malicious GitHub repositories were created for data exfiltration and persistence. Review your GitHub accounts for newly created git repositories that are unexpected, especially in situations where they?contain?filenames such as:?
- cloud.json?
- contents.json?
- environment.json?
- truffleSecrets.json?
- discussion.yaml (typically located in?.github/workflows/discussion.yaml)?
If you are not using GitHub in your environment but do publish packages to?npm?registries, look for new, unsanctioned versions of packages deployed to?npm?registries, as these may?indicate?abuse of stolen?npm?tokens.?
Identify?and Remove Affected?npm?Packages
Hijacked?npm?packages that were?identified?by their maintainers are being removed from the?npm?registry to prevent further distribution. It is recommended that organizations review and remove affected versions of?npm?packages from their environments, especially on devices and CI/CD systems where?npm?is used as part of the development pipeline.?
Special care?should be taken in any confirmed infection scenario where?npm?authentication tokens are present for publication of packages to private or public?npm?registries, considering that this malware?attempts?to propagate by deploying?trojanized?versions of packages using those credentials.?
Where?feasible, prioritize purging and reinstalling?npm?packages on development workstations and build infrastructure that may have installed impacted versions, ensuring that only pinned, known-good versions are reintroduced. As described?on?the?,?Clearing?local?npm?caches as part of this process can help prevent reinstallation of?trojanized?artifacts.?
Note: The full process of remediation in a confirmed infection scenario may involve?additional?steps beyond?what¡¯s?articulated in this security bulletin, such as purging local?npm?cache.?
Contact Arctic Wolf if an Infection is Suspected
If you are an Arctic Wolf customer and suspect that you have been affected by this campaign, please email?security@arcticwolf.com?and call one of the following numbers:?
- For US support, please call +1 (888) 272-8429?
- For CA support, please call +1 (800) 300-0263?
- For DE support, please call +49 30 16637144?
- For UK support, please call +44 800 260 6438?
- For AUS support, please call +61 2 5119 8562?
A list of all packages and versions known to be affected thus far are available in?.?
Rotate Secrets on Devices Running?Trojanized?npm?Packages
At minimum, any device or CI/CD runner confirmed or strongly suspected to be running?trojanized?versions of?npm?packages should be quarantined until fully remediated, and any accessible secrets should be rotated or revoked and reissued.?
Because threat actors in this campaign aggressively harvest and exfiltrate sensitive credentials, teams may also consider rotating these credentials across development and build environments where?npm?packages are regularly installed, even without a confirmed compromise but where exposure to affected packages is plausible.?
Potentially affected secrets include, but are not necessarily limited to:?
- AWS credentials, including access keys (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), IAM credentials, and session tokens.?
- Google Cloud ºÚÁÏÉç service credentials including OAuth tokens and service account keys.?
- Azure credentials including service principals and access tokens.?
- Credentials stored in credential management tools such as AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault.?
- npm?authentication tokens (i.e., those used for automation and publication).?
- API keys stored in environment variables throughout code.?
- SSH keys used with Git.?
- Database credentials stored in connection strings.?
- GitHub personal access tokens.?
- GitHub Actions secrets.?
Note:?At the time of this writing,?TruffleHog?(a credential extraction tool commonly used by threat actors) supports over 800?different types?of credentials for extraction. While there is no central documentation page?listing out?all supported credential types, their GitHub repository has a list of??provided.?
References?
