Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
A New Wave of Supply-Chain Chaos: SHA1HULUD Malware Hijacks NPM Ecosystem and Exfiltrates Developer Secrets
Posted on: 25 Nov 2025 | Author: Foresiet
Introduction
A previously known malware strain, SHA1-HULUD, has resurfaced with a large-scale software supply-chain attack targeting the NPM ecosystem. More than 300 open-source NPM packages were maliciously modified within a short window, leading to the theft of sensitive credentials and over 20,000 compromised GitHub repositories.
This incident highlights the increasing weaponization of open-source ecosystems and the dangers posed by supply-chain attacks that spread rapidly and silently through developer environments.
Overview of the Attack
The escalated SHA1-HULUD attack of November 2025 highlights a critical failure in supply chain security, leveraging hundreds of compromised NPM packages that impersonate the Bun runtime to steal highly sensitive developer credentials—including AWS, GitHub, and cloud tokens—and establish worm-like persistence via a malicious GitHub Action Runner.
Effectively defending against this requires proactive, layered security measures, including Digital Risk Monitoring to detect stolen secrets on the dark web, a sophisticated Threat Intelligence Platform to analyze and distribute indicators of compromise (IoCs), and dedicated Brand Protection Software to prevent the abuse of trusted digital assets, making the findings of any Cyber Threat Report 2025 immediately relevant.
Technical Breakdown
The malicious code downloads the GitHub Action Runner, registers it automatically using stolen tokens, and executes run.sh or PowerShell equivalents depending on OS (Linux, Windows, MacOS). The code snippet below highlights the execution behavior:
It then implants a workflow file at:
This workflow aggregates all repository secrets, double-base64 encodes them into:
and exfiltrates them externally.
Stolen Data Format
The decoded sample shows highly sensitive cloud and CI/CD credentials including:
Evidence from Live GitHub Search
To validate the extent of the breach, our team conducted live searches across GitHub for files named actionsSecrets.json and repositories labeled “Sha1-Hulud: The Second Coming”, which are artifacts created by the malware during exfiltration. This confirms widespread compromise within developer repositories.
Screenshot 1 – GitHub search results displaying actionsSecrets.json artifacts
(Shows presence of exfiltrated credential files generated by the malware)
Screenshot 2 – Over 26,700 repositories containing signals of Infection labeled “Sha1-Hulud: The Second Coming.”
(Demonstrates massive spread and automated propagation via GitHub Actions)
Scale of Impact
Attack appears to be linked to the same operators behind the September 2025 Shai-Hulud NPM poisoning campaign.
Current confirmed scope:
Type | Volume |
Infected NPM packages | 300+ |
Impacted GitHub repositories | 20,000+ |
Weekly downloads from affected libraries | Millions |
High-profile packages affected include:
- @zapier/zapier-sdk
- @posthog/core
- @asyncapi/specs
- @postman/tunnel-agent
- posthog-node, posthog-react-native
- Many AsyncAPI, Zapier, ENS, and Postman components
Some packages exceed 3 million weekly downloads, meaning widespread compromise.
Propagation Strategy
The worm spreads through:
- NPM auto-script execution (preinstall)
- Credential capture and republishing with valid tokens
- GitHub Actions automated propagation
- Cloud credential expansion to attacker infrastructure
Threat Impact
- Massive CI/CD supply-chain compromise
- Theft of enterprise production cloud keys
- Potential lateral movement into corporate infrastructure
- Risk of ransomware, cryptomining, or data extortion
- Thousands of organizations may already be affected unknowingly.
Given that many packages relate to analytics, CI/CD, API generators, and mobile SDKs, downstream effects could reach millions of end users.
Indicators of Compromise
Behavior
Action | Purpose |
TruffleHog scanning | Secret harvesting |
GitHub Runner deployment | Persistence & exfiltration |
Auto-publish packages | Worm spread |
Double-encoded Base64 secrets | Data obfuscation |
Conclusion
The reappearance of the SHA1-HULUD worm marks one of the most severe NPM-based supply-chain attacks of 2025. By compromising open-source package delivery channels and CI/CD automation, attackers have weaponized trust in modern development ecosystems. With 20,000+ GitHub repositories compromised and hundreds of popular NPM packages poisoned, organizations must immediately review dependency updates and rotate all potentially exposed credentials.
Our team continues to monitor, track associated infrastructure, and map threat actor behavior. This campaign once again proves that supply-chain defense must be prioritized alongside endpoint and network security.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.