Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Shai-Hulud Returns 2.0 – Massive Self-Propagating npm Supply-Chain Attack Hits 600 Packages and 100M+ Downloads
Posted on: 01 Dec 2025 | Author: Foresiet
Introduction
The software supply chain has come under assault once again with the resurgence of the Shai-Hulud npm worm—now significantly more advanced, more destructive, and far more widespread. Consequently, what is quickly being described as one of the most serious active threats to the npm ecosystem, the second wave of the Shai-Hulud campaign has compromised at least 600 npm packages, collectively downloaded more than 100 million times.
One of the most alarming aspects of this campaign is its origin point. Specifically, the widely-used @asyncapi/specs package—downloaded more than 1.4 million times per week—was identified as a likely patient zero, enabling rapid global propagation through automated dependency updates across thousands of development and production environments.
This attack therefore underscores a harsh reality: supply-chain malware no longer relies on social engineering or binary droppers. Instead, it weaponizes trusted open-source ecosystems, exploiting developer confidence and dependency automation. This incident highlights the critical need for a robust threat intel platform to proactively track and block malicious dependencies.
Evolution of the Shai-Hulud Worm
Originally discovered in September by independent researchers, the malware has since evolved dramatically. The new version, referred to as “Shai-Hulud: The Second Coming,” introduces several upgrades that increase both stealth and destructive potential.
Key Characteristics of the New Variant
Capability | Description |
Self-propagating worm | Automatically infects other packages by the same maintainer |
Destruction mode | Deletes user folders containing data under specific conditions |
Advanced stealth | Malware injected via preinstall script |
Data harvesting | Exfiltrates stolen secrets to attacker-controlled GitHub repositories |
Automation | Uses 27,000+ GitHub repos with random naming patterns |
New payload files | setup_bun.js and bun_environment.js |
Silent Activation Through npm Lifecycle Scripts
The malicious code is embedded via a preinstall hook in package.json, executed automatically when packages are installed or updated:

Because developers commonly enable automated dependency updates and CI pipelines install dependencies silently, the infection chain bypasses user awareness entirely.
Propagation Mechanism
Once a system or development environment is compromised, the worm:
- Extracts credentials, OAuth tokens, and environment variables
- Uses them to gain access to GitHub accounts
- Creates new repositories (over 27,000 so far) to store stolen secrets
- Infects additional npm packages published by the compromised maintainer
- Self-replicates outward through dependency trees
Additional payload (data destruction routine) activates only under specific triggers—likely time-based or conditional environment checks.
Data Exfiltration & Infrastructure
The stolen data includes:
- AWS keys
- GCP credentials
- npm automation tokens
- GitHub secrets
- CI/CD system credentials
Repositories created during exfiltration reportedly contain randomized names and can be identified by the tag:
“The Shai-Hulud: The Second Coming campaign represents one of the most dangerous real-world threats the npm ecosystem has ever encountered. Its blend of stealth, automated propagation, massive-scale exfiltration, and destructive capability makes it a priority event requiring immediate response from development, SOC, and DevSecOps teams globally.”
Affected npm Packages (Partial List)
Package Name |
atrix |
@ensdomains/content-hash |
@ensdomains/curvearithmetics |
@ensdomains/dnssecoraclejs |
@ensdomains/durin-middleware |
@ensdomains/ens-archived-contracts |
@ensdomains/ens-archived-contracts 0.0.3 @ensdomains/ens-avatar 1.0.4 @ensdomains/ens-contracts 1.6.1 @ensdomains/ens-validation 0.1.1 @ensdomains/ensjs 4.0.3 @ensdomains/ensjs-react 0.0.5 @ensdomains/hardhat-toolbox-viem-extended 0.0.6 @ensdomains/name-wrapper 1.0.1 @ensdomains/offchain-resolver-contracts 0.2.2 @ensdomains/react-ens-address 0.0.32 @ensdomains/subdomain-registrar 0.2.4 @ensdomains/unicode-confusables 0.1.1 @ensdomains/unruggable-gateways 0.0.3 @ensdomains/web3modal 1.10.2 @hapheus/n8n-nodes-pgp 1.5.1 @louisle2/core 1.0.1 @louisle2/cortex-js 0.1.6 @markvivanco/app-version-checker 1.0.2 @mcp-use/cli 2.2.7 @mcp-use/inspector 0.6.3 @mcp-use/mcp-use 1.0.2 @mparpaillon/connector-parse 1.0.1 @mparpaillon/imagesloaded 4.1.2 @orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode 2.0.5 @orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode 1.1.1 @orbitgtbelgium/orbit-components 1.2.9 @orbitgtbelgium/time-slider 1.0.187 @trigo/atrix-acl 4.0.2 @trigo/atrix-elasticsearch 2.0.1 @trigo/atrix-orientdb 1.0.2 @trigo/atrix-postgres 1.0.3 @trigo/atrix-pubsub 4.0.3 @trigo/atrix-redis 1.0.2 @trigo/atrix-soap 1.0.2 @trigo/atrix-swagger 3.0.1 @trigo/bool-expressions 4.1.3 @trigo/eslint-config-trigo 3.3.1 @trigo/fsm 3.4.2 @trigo/hapi-auth-signedlink 1.3.1 @trigo/jsdt 0.2.1 @trigo/keycloak-api 1.3.1 @trigo/node-soap 0.5.4 @trigo/pathfinder-ui-css 0.1.1 @trigo/trigo-hapijs 5.0.1 @zapier/ai-actions 0.1.20 @zapier/ai-actions-react 0.1.14 @zapier/ai-actions-react 0.1.13 @zapier/ai-actions-react 0.1.12 @zapier/babel-preset-zapier 6.4.3 @zapier/browserslist-config-zapier 1.0.5 @zapier/eslint-plugin-zapier 11.0.5 @zapier/mcp-integration 3.0.1 @zapier/mcp-integration 3.0.3 @zapier/mcp-integration 3.0.2 @zapier/secret-scrubber 1.1.3 @zapier/secret-scrubber 1.1.4 @zapier/secret-scrubber 1.1.5 @zapier/spectral-api-ruleset 1.9.3 @zapier/stubtree 0.1.3 @zapier/stubtree 0.1.4 @zapier/stubtree 0.1.2 @zapier/zapier-sdk 0.15.7 @zapier/zapier-sdk 0.15.5 @zapier/zapier-sdk 0.15.6 atrix-mongoose 1.0.1 bool expressions 0.1.2 bytecode-checker-cli 1.0.11 claude-token-updater 1.0.3 command-irail 0.5.4 cpu-instructions 0.0.14 create-hardhat3-app 1.1.4 create-mcp-use-app 0.5.4 crypto-addr-codec 0.1.9 devstart-cli 1.0.6 eslint-config-trigo 22.0.2 ethereum-ens 0.8.1 evm-checkcode-cli 1.0.15 exact-ticker 0.3.5 gate-evm-check-code2 2.0.6 gate-evm-tools-test 1.0.8 jan-browser 0.13.1 lite-serper-mcp-server 0.2.2 mcp-use 1.4.3 orbit-boxicons 2.1.3 orbit-nebula-draw-tools 1.0.10 orbit-nebula-editor 1.0.2 orbit-soap 0.43.13 react-component-taggers 0.1.9 react-element-prompt-inspector 0.1.18 react-library-setup 0.0.6 redux-forge 2.5.3 redux-router-kit 1.2.4 skills-use 0.1.2 test-foundry-app 1.0.4 test-hardhat-app 1.0.4 token.js-fork 0.7.32 trigo-react-app 4.1.2 typeorm-orbit 0.2.27 zapier-async-storage 1.0.3 zapier-platform-cli 18.0.4 zapier-platform-cli 18.0.2 zapier-platform-cli 18.0.3 zapier-platform-core 18.0.2 zapier-platform-core 18.0.3 zapier-platform-core 18.0.4 zapier-platform-legacy-scripting-runner 4.0.4 zapier-platform-schema 18.0.3 zapier-platform-schema 18.0.4 zapier-platform-schema 18.0.2 zapier-scripts 7.8.3 zapier-scripts 7.8.4 zuper-cli 1.0.1 zuper-stream 2.0.9 02-echo 0.0.7 @accordproject/concerto-analysis 3.24.1 @accordproject/concerto-linter 3.24.1 @accordproject/concerto-linter-default-ruleset 3.24.1 @accordproject/concerto-metamodel 3.12.5 @accordproject/concerto-types 3.24.1 @accordproject/markdown-it-cicero 0.16.26 @accordproject/template-engine 2.7.2 @actbase/css-to-react-native-transform 1.0.3 @actbase/native 0.1.32 @actbase/node-server 1.1.19 @actbase/react-absolute 0.8.3 @actbase/react-daum-postcode 1.0.5 @actbase/react-kakaosdk 0.9.27 @actbase/react-native-actionsheet 1.0.3 @actbase/react-native-devtools 0.1.3 @actbase/react-native-fast-image 8.5.13 @actbase/react-native-kakao-channel 1.0.2 @actbase/react-native-kakao-navi 2.0.4 @actbase/react-native-less-transformer 1.0.6 @actbase/react-native-naver-login 1.0.1 @actbase/react-native-simple-video 1.0.13 @actbase/react-native-tiktok 1.1.3 @alaan/s2s-auth 2.0.3 @alexcolls/nuxt-socket.io 0.0.7 @alexcolls/nuxt-ux 0.6.1 @aryanhussain/my-angular-lib 0.0.23 @asyncapi/avro-schema-parser 3.0.26 @asyncapi/bundler 0.6.6 @asyncapi/cli 4.1.3 @asyncapi/converter 1.6.4 @asyncapi/diff 0.5.2 @asyncapi/dotnet-rabbitmq-template 1.0.2 @asyncapi/edavisualiser 1.2.2 @asyncapi/generator 2.8.6 @asyncapi/generator-components 0.3.3 @asyncapi/generator-helpers 0.2.2 @asyncapi/generator-react-sdk 1.1.5 @asyncapi/go-watermill-template 0.2.77 @asyncapi/html-template 3.3.3 @asyncapi/java-spring-cloud-stream-template 0.13.6 @asyncapi/java-spring-template 1.6.2 @asyncapi/java-template 0.3.6 @asyncapi/keeper 0.0.3 @asyncapi/markdown-template 1.6.9 @asyncapi/modelina 5.10.3 @asyncapi/modelina-cli 5.10.3 @asyncapi/multi-parser 2.2.2 @asyncapi/nodejs-template 3.0.6 @asyncapi/nodejs-ws-template 0.10.2 @asyncapi/nunjucks-filters 2.1.2 @asyncapi/openapi-schema-parser 3.0.26 @asyncapi/optimizer 1.0.6 @asyncapi/parser 3.4.2 @asyncapi/php-template 0.1.2 @asyncapi/problem 1.0.2 @asyncapi/protobuf-schema-parser 3.5.3 @asyncapi/python-paho-template 0.2.15 @asyncapi/react-component 2.6.7 @asyncapi/server-api 0.16.25 @asyncapi/specs 6.8.3 @asyncapi/studio 1.0.3 @asyncapi/web-component 2.6.7 @caretive/caret-cli 0.0.2 @clausehq/flows-step-httprequest 0.1.14 @clausehq/flows-step-jsontoxml 0.1.14 @clausehq/flows-step-mqtt 0.1.14 @clausehq/flows-step-sendgridemail 0.1.14 @clausehq/flows-step-taskscreateurl 0.1.14 @commute/bloom 1.0.3 @commute/market-data 1.0.2 @commute/market-data-chartjs 2.3.1 @dev-blinq/ai-qa-logic 1.0.19 @dev-blinq/blinqioclient 1.0.21 @dev-blinq/cucumber-js 1.0.131 @dev-blinq/cucumber_client 1.0.738 @dev-blinq/ui-systems 1.0.93 @ensdomains/address-encoder 1.1.5 @ensdomains/blacklist 1.0.1 @ensdomains/buffer 0.1.2 @ensdomains/ccip-read-cf-worker 0.0.4 @ensdomains/ccip-read-dns-gateway 0.1.1 @ensdomains/ccip-read-router 0.0.7 @ensdomains/ccip-read-worker-viem 0.0.4 @ensdomains/cypress-metamask 1.2.1 @ensdomains/dnsprovejs 0.5.3 @ensdomains/dnssec-oracle-anchors 0.0.2 @ensdomains/durin 0.1.2 @ensdomains/ens-test-env 1.0.2 @ensdomains/eth-ens-namehash 2.0.16 @ensdomains/hackathon-registrar 1.0.5 @ensdomains/hardhat-chai-matchers-viem 0.1.15 @ensdomains/mock 2.1.52 @ensdomains/op-resolver-contracts 0.0.2 @ensdomains/renewal 0.0.13 @ensdomains/renewal-widget 0.1.10 @ensdomains/reverse-records 1.0.1 @ensdomains/server-analytics 0.0.2 @ensdomains/solsha1 0.0.4 @ensdomains/test-utils 1.3.1 @ensdomains/thorin 0.6.51 @ensdomains/ui 3.4.6 @ensdomains/vite-plugin-i18next-loader 4.0.4 @everreal/react-charts 2.0.1 @everreal/react-charts 2.0.2 @everreal/validate-esmoduleinterop-imports 1.4.5 @everreal/validate-esmoduleinterop-imports 1.4.4 @everreal/web-analytics 0.0.2 @everreal/web-analytics 0.0.1 @ifelsedeveloper/protocol-contracts-svm-idl 0.1.2 @ifings/design-system 4.9.2 @ifings/metatron3 0.1.5 @kvytech/cli 0.0.7 @kvytech/components 0.0.2 @kvytech/habbit-e2e-test 0.0.2 @kvytech/medusa-plugin-announcement 0.0.8 @kvytech/medusa-plugin-management 0.0.5 @kvytech/medusa-plugin-newsletter 0.0.5 @kvytech/medusa-plugin-product-reviews 0.0.9 @kvytech/medusa-plugin-promotion 0.0.2 @kvytech/web 0.0.2 @lessondesk/api-client 9.12.2 @lessondesk/api-client 9.12.3 @lessondesk/babel-preset 1.0.1 @lessondesk/electron-group-api-client 1.0.3 @lessondesk/eslint-config 1.4.2 @lessondesk/material-icons 1.0.3 @lessondesk/react-table-context 2.0.4 @lessondesk/schoolbus 5.2.3 @lessondesk/schoolbus 5.2.2 @lpdjs/firestore-repo-service 1.0.1 @markvivanco/app-version-checker 1.0.1 @mcp-use/cli 2.2.6 @mcp-use/inspector 0.6.2 @mcp-use/mcp-use 1.0.1 @mparpaillon/page 1.0.1 @ntnx/passport-wso2 0.0.3 @ntnx/t 0.0.101 @osmanekrem/bmad 1.0.6 @osmanekrem/error-handler 1.2.2 @posthog/agent 1.24.1 @posthog/ai 7.1.2 @posthog/automatic-cohorts-plugin 0.0.8 @posthog/bitbucket-release-tracker 0.0.8 @posthog/cli 0.5.15 @posthog/clickhouse 1.7.1 @posthog/core 1.5.6 @posthog/currency-normalization-plugin 0.0.8 @posthog/customerio-plugin 0.0.8 @posthog/databricks-plugin 0.0.8 @posthog/drop-events-on-property-plugin 0.0.8 @posthog/event-sequence-timer-plugin 0.0.8 @posthog/filter-out-plugin 0.0.8 @posthog/first-time-event-tracker 0.0.8 @posthog/geoip-plugin 0.0.8 @posthog/github-release-tracking-plugin 0.0.8 @posthog/gitub-star-sync-plugin 0.0.8 @posthog/heartbeat-plugin 0.0.8 @posthog/hedgehog-mode 0.0.42 @posthog/icons 0.36.1 @posthog/ingestion-alert-plugin 0.0.8 @posthog/intercom-plugin 0.0.8 @posthog/kinesis-plugin 0.0.8 @posthog/laudspeaker-plugin 0.0.8 @posthog/lemon-ui 0.0.1 @posthog/maxmind-plugin 0.1.6 @posthog/migrator3000-plugin 0.0.8 @posthog/netdata-event-processing 0.0.8 @posthog/nextjs 0.0.3 @posthog/nextjs-config 1.5.1 @posthog/nuxt 1.2.9 @posthog/pagerduty-plugin 0.0.8 @posthog/piscina 3.2.1 @posthog/plugin-contrib 0.0.6 @posthog/plugin-server 1.10.8 @posthog/plugin-unduplicates 0.0.8 @posthog/postgres-plugin 0.0.8 @posthog/react-rrweb-player 1.1.4 @posthog/rrdom 0.0.31 @posthog/rrweb 0.0.31 @posthog/rrweb-player 0.0.31 @posthog/rrweb-record 0.0.31 @posthog/rrweb-replay 0.0.19 @posthog/rrweb-snapshot 0.0.31 @posthog/rrweb-utils 0.0.31 @posthog/sendgrid-plugin 0.0.8 @posthog/siphash 1.1.2 @posthog/snowflake-export-plugin 0.0.8 @posthog/taxonomy-plugin 0.0.8 @posthog/twilio-plugin 0.0.8 @posthog/twitter-followers-plugin 0.0.8 @posthog/url-normalizer-plugin 0.0.8 @posthog/variance-plugin 0.0.8 @posthog/web-dev-server 1.0.5 @posthog/wizard 1.18.1 @posthog/zendesk-plugin 0.0.8 @postman/aether-icons 2.23.3 @postman/aether-icons 2.23.2 @postman/aether-icons 2.23.4 @postman/csv-parse 4.0.4 @postman/csv-parse 4.0.5 @postman/csv-parse 4.0.3 @postman/final-node-keytar 7.9.1 @postman/final-node-keytar 7.9.2 @postman/final-node-keytar 7.9.3 @postman/mcp-ui-client 5.5.1 @postman/mcp-ui-client 5.5.3 @postman/mcp-ui-client 5.5.2 @postman/node-keytar 7.9.4 @postman/node-keytar 7.9.5 @postman/node-keytar 7.9.6 @postman/pm-bin-linux-x64 1.24.5 @postman/pm-bin-linux-x64 1.24.3 @postman/pm-bin-linux-x64 1.24.4 @postman/pm-bin-macos-arm64 1.24.3 @postman/pm-bin-macos-arm64 1.24.5 @postman/pm-bin-macos-arm64 1.24.4 @postman/pm-bin-macos-x64 1.24.5 @postman/pm-bin-macos-x64 1.24.4 @postman/pm-bin-macos-x64 1.24.3 @postman/pm-bin-windows-x64 1.24.3 @postman/pm-bin-windows-x64 1.24.4 @postman/pm-bin-windows-x64 1.24.5 @postman/postman-collection-fork 4.3.3 @postman/postman-collection-fork 4.3.4 @postman/postman-collection-fork 4.3.5 @postman/postman-mcp-cli 1.0.5 @postman/postman-mcp-cli 1.0.4 @postman/postman-mcp-cli 1.0.3 @postman/postman-mcp-server 2.4.11 @postman/postman-mcp-server 2.4.10 @postman/postman-mcp-server 2.4.12 @postman/pretty-ms 6.1.2 @postman/pretty-ms 6.1.1 @postman/pretty-ms 6.1.3 @postman/secret-scanner-wasm 2.1.2 @postman/secret-scanner-wasm 2.1.3 @postman/secret-scanner-wasm 2.1.4 @postman/tunnel-agent 0.6.7 @postman/tunnel-agent 0.6.5 @postman/tunnel-agent 0.6.6 @postman/wdio-allure-reporter 0.0.9 @postman/wdio-allure-reporter 0.0.8 @postman/wdio-allure-reporter 0.0.7 @postman/wdio-junit-reporter 0.0.6 @postman/wdio-junit-reporter 0.0.4 @postman/wdio-junit-reporter 0.0.5 @relyt/claude-context-core 0.1.1 @relyt/claude-context-mcp 0.1.1 @relyt/mcp-server-relytone 0.0.3 @seung-ju/next 0.0.2 @seung-ju/openapi-generator 0.0.4 @seung-ju/react-hooks 0.0.2 @seung-ju/react-native-action-sheet 0.2.1 @thedelta/eslint-config 1.0.2 @tiaanduplessis/json 2.0.2 @tiaanduplessis/json 2.0.3 @tiaanduplessis/react-progressbar 1.0.2 @tiaanduplessis/react-progressbar 1.0.1 @trefox/sleekshop-js 0.1.6 @trigo/atrix 7.0.1 @trigo/atrix-mongoose 1.0.2 @varsityvibe/api-client 1.3.37 @varsityvibe/api-client 1.3.36 @varsityvibe/utils 5.0.6 @varsityvibe/validation-schemas 0.6.8 @varsityvibe/validation-schemas 0.6.7 @zapier/ai-actions 0.1.19 @zapier/ai-actions 0.1.18 @zapier/babel-preset-zapier 6.4.2 @zapier/babel-preset-zapier 6.4.1 @zapier/browserslist-config-zapier 1.0.3 @zapier/browserslist-config-zapier 1.0.4 @zapier/eslint-plugin-zapier 11.0.4 @zapier/eslint-plugin-zapier 11.0.3 @zapier/spectral-api-ruleset 1.9.2 @zapier/spectral-api-ruleset 1.9.1 asyncapi-preview 1.0.2 automation_model 1.0.491 axios-cancelable 1.0.2 axios-cancelable 1.0.1 axios-timed 1.0.1 axios-timed 1.0.2 barebones-css 1.1.4 barebones-css 1.1.3 blinqio-executions-cli 1.0.41 blob-to-base64 1.0.3 bytecode-checker-cli 1.0.9 bytecode-checker-cli 1.0.8 bytecode-checker-cli 1.0.10 bytes-to-x 1.0.1 calc-loan-interest 1.0.4 capacitor-plugin-apptrackingios 0.0.21 capacitor-plugin-purchase 0.1.1 capacitor-plugin-scgssigninwithgoogle 0.0.5 capacitor-purchase-history 0.0.10 capacitor-voice-recorder-wav 6.0.3 chrome-extension-downloads 0.0.3 coinmarketcap-api 3.1.3 coinmarketcap-api 3.1.2 colors-regex 2.0.1 compare-obj 1.1.2 compare-obj 1.1.1 count-it-down 1.0.1 count-it-down 1.0.2 create-glee-app 0.2.3 create-hardhat3-app 1.1.3 create-hardhat3-app 1.1.1 create-hardhat3-app 1.1.2 create-mcp-use-app 0.5.3 css-dedoupe 0.1.2 designstudiouiux 1.0.1 discord-bot-server 0.1.2 don’t go 1.1.2 dotnet-template 0.0.4 drop-events-on-property-plugin 0.0.2 email-deliverability-tester 1.1.1 enforce-branch-name 1.1.3 eslint-config-nitpicky 4.0.1 evm-checkcode-cli 1.0.12 evm-checkcode-cli 1.0.13 evm-checkcode-cli 1.0.14 expo-audio-session 0.2.1 expressos 1.1.3 fat-fingered 1.0.1 fat-fingered 1.0.2 feature-flip 1.0.1 feature-flip 1.0.2 firestore-search-engine 1.2.3 fittxt 1.0.3 fittxt 1.0.2 flapstacks 1.0.1 flapstacks 1.0.2 flatten-unflatten 1.0.1 flatten-unflatten 1.0.2 formik-error-focus 2.0.1 formik-store 1.0.1 fuzzy-finder 1.0.6 fuzzy-finder 1.0.5 gate-evm-check-code2 2.0.5 gate-evm-check-code2 2.0.3 gate-evm-check-code2 2.0.4 gate-evm-tools-test 1.0.7 gate-evm-tools-test 1.0.5 gate-evm-tools-test 1.0.6 gatsby-plugin-cname 1.0.2 gatsby-plugin-cname 1.0.1 generator-ng-itobuz 0.0.15 get-them-args 1.3.3 github-action-for-generator 2.1.28 gitsafe 1.0.5 go-template 0.1.9 gulp-inject-envs 1.2.2 gulp-inject-envs 1.2.1 haufe-axera-api-client 0.0.1 haufe-axera-api-client 0.0.2 hope-mapboxdraw 0.1.1 hopedraw 1.0.3 httpness 1.0.3 httpness 1.0.2 hyper-fullfacing 1.0.3 hyperterm-hipster 1.0.7 image-to-uri 1.0.2 image-to-uri 1.0.1 invo 0.2.2 ito-button 8.0.3 itobuz-angular 0.0.1 itobuz-angular-auth 8.0.11 itobuz-angular-button 8.0.11 jacob-zuma 1.0.2 jacob-zuma 1.0.1 jquery-bindings 1.1.3 jquery-bindings 1.1.2 just-toasty 1.7.1 kill port 2.0.3 kill port 2.0.2 kwami 1.5.9 lang-codes 1.0.1 lang-codes 1.0.2 license-o-matic 1.2.2 license-o-matic 1.2.1 lint-staged-imagemin 1.3.1 lint-staged-imagemin 1.3.2 luno-api 1.2.3 mcp-use 1.4.2 medusa-plugin-announcement 0.0.3 medusa-plugin-logs 0.0.17 medusa-plugin-momo 0.0.68 medusa-plugin-product-reviews-kvy 0.0.4 medusa-plugin-zalopay 0.0.40 mod10-check-digit 1.0.1 mon-package-react-typescript 1.0.1 n8n-nodes-tmdb 0.5.1 nanoreset 7.0.2 nanoreset 7.0.1 next-circular-dependency 1.0.2 next-circular-dependency 1.0.3 next-simple-google-analytics 1.1.2 next-simple-google-analytics 1.1.1 next-styled-nprogress 1.0.4 next-styled-nprogress 1.0.5 ngx-useful-swiper-prosenjit 9.0.2 ngx-wooapi 12.0.1 obj-to-css 1.0.2 obj-to-css 1.0.3 okta-react-router-6 5.0.1 orchestra 12.1.2 package-tester 1.0.1 parcel-plugin-asset-copier 1.1.3 parcel-plugin-asset-copier 1.1.2 pdf annotation 0.0.2 piclite 1.0.1 pico-uid 1.0.4 pico-uid 1.0.3 pkg-readme 1.1.1 poper-react-sdk 0.1.2 posthog-docusaurus 2.0.6 posthog-js 1.297.3 posthog-node 5.13.3 posthog-node 4.18.1 posthog-node 5.11.3 posthog-plugin-hello-world 1.0.1 posthog-react-native 4.12.5 posthog-react-native 4.11.1 posthog-react-native-session-replay 1.2.2 prime-one-table 0.0.19 prompt-eng 1.0.50 prompt-eng-server 1.0.18 puny-req 1.0.3 ra-auth-firebase 1.0.3 ra-data-firebase 1.0.7 ra-data-firebase 1.0.8 react-favic 1.0.2 react-hook-form-persist 3.0.2 react-hook-form-persist 3.0.1 react-jam-icons 1.0.2 react-jam-icons 1.0.1 react-keycloak-context 1.0.8 react-keycloak-context 1.0.9 react-linear-loader 1.0.2 react-micromodal.js 1.0.2 react-micromodal.js 1.0.1 react-native-datepicker-modal 1.3.2 react-native-datepicker-modal 1.3.1 react-native-email 2.1.1 react-native-email 2.1.2 react-native-fetch 2.0.1 react-native-fetch 2.0.2 react-native-get-pixel-dimensions 1.0.2 react-native-get-pixel-dimensions 1.0.1 react-native-google-maps-directions 2.1.2 react-native-jam-icons 1.0.1 react-native-jam-icons 1.0.2 react-native-log-level 1.2.1 react-native-log-level 1.2.2 react-native-modest-checkbox 3.3.1 react-native-modest-storage 2.1.1 react-native-phone-call 1.2.1 react-native-phone-call 1.2.2 react-native-retriable-fetch 2.0.1 react-native-retriable-fetch 2.0.2 react-native-view-finder 1.2.1 react-native-view-finder 1.2.2 react-native-websocket 1.0.3 react-native-websocket 1.0.4 react-native-worklet-functions 3.3.3 react-qr-image 1.1.1 redux-router-kit 1.2.2 redux-router-kit 1.2.3 sa-company-registration-number-regex 1.0.1 sa-company-registration-number-regex 1.0.2 sa-id-gen 1.0.5 sa-id-gen 1.0.4 samesame 1.0.3 scgs-capacitor-subscribe 1.0.11 scgsffcreator 1.0.5 selenium-session 1.0.5 selenium-session-client 1.0.4 set-nested-prop 2.0.1 set-nested-prop 2.0.2 shell-exec 1.1.4 shell-exec 1.1.3 skills-use 0.1.1 sort-by-distance 2.0.1 south-african-id-info 1.0.2 stat-fns 1.0.1 stoor 2.3.2 super-commit 1.0.1 svelte-autocomplete-select 1.1.1 svelte-toasty 1.1.2 svelte-toasty 1.1.3 tanstack-shadcn-table 1.1.5 tcsp 2.0.2 tcsp-draw-test 1.0.5 tcsp-test-vd 2.4.4 template-lib 1.1.3 template-lib 1.1.4 template-micro-service 1.0.2 template-micro-service 1.0.3 tenacious-fetch 2.3.3 tenacious-fetch 2.3.2 test-foundry-app 1.0.1 test-foundry-app 1.0.2 test-foundry-app 1.0.3 test-hardhat-app 1.0.3 test-hardhat-app 1.0.1 test-hardhat-app 1.0.2 tiaan 1.0.2 typefence 1.2.2 typefence 1.2.3 undefsafe-typed 1.0.4 undefsafe-typed 1.0.3 uplandui 0.5.4 upload-to-play-store 1.0.1 upload-to-play-store 1.0.2 url-encode-decode 1.0.2 url-encode-decode 1.0.1 use-unsaved-changes 1.0.9 valid-south-african-id 1.0.3 web-scraper-mcp 1.1.4 wellness-expert-ng-gallery 5.1.1 wenk 1.0.10 wenk 1.0.9 zapier-async-storage 1.0.2 zapier-async-storage 1.0.1 zapier-platform-legacy-scripting-runner 4.0.2 zapier-platform-legacy-scripting-runner 4.0.3 zuper-sdk 1.0.57 @alexcolls/nuxt-socket.io 0.0.8 @alexcolls/nuxt-ux 0.6.2 @antstackio/eslint-config-antstack 0.0.3 @antstackio/express-graphql-proxy 0.2.8 @antstackio/graphql-body-parser 0.1.1 @antstackio/json-to-graphql 1.0.3 @antstackio/shelbysam 1.1.7 @asyncapi/avro-schema-parser 3.0.25 @asyncapi/bundler 0.6.5 @asyncapi/cli 4.1.2 @asyncapi/converter 1.6.3 @asyncapi/diff 0.5.1 @asyncapi/dotnet-rabbitmq-template 1.0.1 @asyncapi/edavisualiser 1.2.1 @asyncapi/generator 2.8.5 @asyncapi/generator-components 0.3.2 @asyncapi/generator-helpers 0.2.1 @asyncapi/generator-react-sdk 1.1.4 @asyncapi/go-watermill-template 0.2.76 @asyncapi/html-template 3.3.2 @asyncapi/java-spring-cloud-stream-template 0.13.5 @asyncapi/java-spring-template 1.6.1 @asyncapi/java-template 0.3.5 @asyncapi/keeper 0.0.2 @asyncapi/markdown-template 1.6.8 @asyncapi/modelina 5.10.2 @asyncapi/modelina-cli 5.10.2 @asyncapi/multi-parser 2.2.1 @asyncapi/nodejs-template 3.0.5 @asyncapi/nodejs-ws-template 0.10.1 @asyncapi/nunjucks-filters 2.1.1 @asyncapi/openapi-schema-parser 3.0.25 @asyncapi/optimizer 1.0.5 @asyncapi/parser 3.4.1 @asyncapi/php-template 0.1.1 @asyncapi/problem 1.0.1 @asyncapi/protobuf-schema-parser 3.5.2 @asyncapi/protobuf-schema-parser 3.6.1 @asyncapi/python-paho-template 0.2.14 @asyncapi/react-component 2.6.6 @asyncapi/server-api 0.16.24 @asyncapi/specs 6.9.1 @asyncapi/specs 6.10.1 @asyncapi/specs 6.8.2 @asyncapi/studio 1.0.2 @asyncapi/web-component 2.6.6 @faq-component/core 0.0.4 @faq-component/react 1.0.1 @fishingbooker/browser-sync-plugin 1.0.5 @fishingbooker/react-loader 1.0.7 @fishingbooker/react-pagination 2.0.6 @fishingbooker/react-raty 2.0.1 @fishingbooker/react-swiper 0.1.5 @hover-design/core 0.0.1 @hover-design/react 0.2.1 @pradhumngautam/common-app 1.0.2 @pruthvi21/use-debounce 1.0.3 @quick-start-soft/quick-document-translator 1.4.2511142126 @quick-start-soft/quick-git-clean-markdown 1.4.2511142126 @quick-start-soft/quick-markdown 1.4.2511142126 @quick-start-soft/quick-markdown-compose 1.4.2506300029 @quick-start-soft/quick-markdown-image 1.4.2511142126 @quick-start-soft/quick-markdown-print 1.4.2511142126 @quick-start-soft/quick-markdown-translator 1.4.2509202331 @quick-start-soft/quick-remove-image-background 1.4.2511142126 @quick-start-soft/quick-task-refine 1.4.2511142126 @seezo/sdr-mcp-server 0.0.5 @sme-ui/aoma-vevasound-metadata-lib 0.1.3 @strapbuild/react-native-date-time-picker 2.0.4 @strapbuild/react-native-perspective-image-cropper 0.4.15 @strapbuild/react-native-perspective-image-cropper-2 0.4.7 @strapbuild/react-native-perspective-image-cropper-poojan31 0.4.6 @suraj_h/medium-common 1.0.5 @trpc-rate-limiter/cloudflare 0.1.4 @trpc-rate-limiter/hono 0.1.4 @voiceflow/alexa-types 2.15.61 @voiceflow/alexa-types 2.15.60 @voiceflow/anthropic 0.4.5 @voiceflow/anthropic 0.4.4 @voiceflow/api-sdk 3.28.58 @voiceflow/api-sdk 3.28.59 @voiceflow/backend-utils 5.0.1 @voiceflow/backend-utils 5.0.2 @voiceflow/base-types 2.136.2 @voiceflow/base-types 2.136.3 @voiceflow/body-parser 1.21.3 @voiceflow/body-parser 1.21.2 @voiceflow/chat-types 2.14.59 @voiceflow/chat-types 2.14.58 @voiceflow/circleci-config-sdk-orb-import 0.2.1 @voiceflow/circleci-config-sdk-orb-import 0.2.2 @voiceflow/commitlint-config 2.6.1 @voiceflow/commitlint-config 2.6.2 @voiceflow/common 8.9.2 @voiceflow/common 8.9.1 @voiceflow/default-prompt-wrappers 1.7.4 @voiceflow/default-prompt-wrappers 1.7.3 @voiceflow/dependency-cruiser-config 1.8.12 @voiceflow/dependency-cruiser-config 1.8.11 @voiceflow/dtos-interact 1.40.1 @voiceflow/dtos-interact 1.40.2 @voiceflow/encryption 0.3.3 @voiceflow/encryption 0.3.2 @voiceflow/eslint-config 7.16.4 @voiceflow/eslint-config 7.16.5 @voiceflow/eslint-plugin 1.6.1 @voiceflow/eslint-plugin 1.6.2 @voiceflow/exception 1.10.2 @voiceflow/exception 1.10.1 @voiceflow/fetch 1.11.2 @voiceflow/fetch 1.11.1 @voiceflow/general-types 3.2.22 @voiceflow/general-types 3.2.23 @voiceflow/git-branch-check 1.4.4 @voiceflow/git-branch-check 1.4.3 @voiceflow/google-dfes-types 2.17.13 @voiceflow/google-dfes-types 2.17.12 @voiceflow/google-types 2.21.12 @voiceflow/google-types 2.21.13 @voiceflow/husky-config 1.3.1 @voiceflow/husky-config 1.3.2 @voiceflow/logger 2.4.3 @voiceflow/logger 2.4.2 @voiceflow/metrics 1.5.2 @voiceflow/metrics 1.5.1 @voiceflow/natural-language-commander 0.5.2 @voiceflow/natural-language-commander 0.5.3 @voiceflow/nestjs-common 2.75.2 @voiceflow/nestjs-common 2.75.3 @voiceflow/nestjs-mongodb 1.3.1 @voiceflow/nestjs-mongodb 1.3.2 @voiceflow/nestjs-rate-limit 1.3.3 @voiceflow/nestjs-rate-limit 1.3.2 @voiceflow/nestjs-redis 1.3.1 @voiceflow/nestjs-redis 1.3.2 @voiceflow/nestjs-timeout 1.3.1 @voiceflow/nestjs-timeout 1.3.2 @voiceflow/npm-package-json-lint-config 1.1.1 @voiceflow/npm-package-json-lint-config 1.1.2 @voiceflow/openai 3.2.3 @voiceflow/openai 3.2.2 @voiceflow/pino 6.11.3 @voiceflow/pino 6.11.4 @voiceflow/pino-pretty 4.4.2 @voiceflow/pino-pretty 4.4.1 @voiceflow/prettier-config 1.10.1 @voiceflow/prettier-config 1.10.2 @voiceflow/react-chat 1.65.4 @voiceflow/react-chat 1.65.3 @voiceflow/runtime 1.29.1 @voiceflow/runtime 1.29.2 @voiceflow/runtime-client-js 1.17.2 @voiceflow/runtime-client-js 1.17.3 @voiceflow/sdk-runtime 1.43.1 @voiceflow/sdk-runtime 1.43.2 @voiceflow/secrets-provider 1.9.2 @voiceflow/secrets-provider 1.9.3 @voiceflow/semantic-release-config 1.4.1 @voiceflow/semantic-release-config 1.4.2 @voiceflow/serverless-plugin-typescript 2.1.7 @voiceflow/serverless-plugin-typescript 2.1.8 @voiceflow/slate-serializer 1.7.3 @voiceflow/slate-serializer 1.7.4 @voiceflow/stitches-react 2.3.3 @voiceflow/stitches-react 2.3.2 @voiceflow/storybook-config 1.2.2 @voiceflow/storybook-config 1.2.3 @voiceflow/stylelint-config 1.1.1 @voiceflow/stylelint-config 1.1.2 @voiceflow/test-common 2.1.2 @voiceflow/test-common 2.1.1 @voiceflow/tsconfig 1.12.2 @voiceflow/tsconfig 1.12.1 @voiceflow/tsconfig-paths 1.1.5 @voiceflow/tsconfig-paths 1.1.4 @voiceflow/utils-designer 1.74.19 @voiceflow/utils-designer 1.74.20 @voiceflow/verror 1.1.4 @voiceflow/verror 1.1.5 @voiceflow/vite-config 2.6.3 @voiceflow/vite-config 2.6.2 @voiceflow/vitest-config 1.10.3 @voiceflow/vitest-config 1.10.2 @voiceflow/voice-types 2.10.59 @voiceflow/voice-types 2.10.58 @voiceflow/voiceflow-types 3.32.45 @voiceflow/voiceflow-types 3.32.46 @voiceflow/widget 1.7.19 @voiceflow/widget 1.7.18 ai-crowl-shield 1.0.7 arc-cli-fc 1.0.1 asyncapi-preview 1.0.1 axios-builder 1.2.1 benmostyn-frame-print 1.0.1 bidirectional adapter 1.2.3 bidirectional adapter 1.2.2 bun-plugin-httpfile 0.1.1 chrome-extension-downloads 0.0.4 composite reducer 1.0.2 composite reducer 1.0.3 create-glee-app 0.2.2 dashboard-empty-state 1.0.3 dialogflow-es 1.1.1 dialogflow-es 1.1.2 docusaurus-plugin-vanilla-extract 1.0.3 dotnet-template 0.0.3 esbuild-plugin-brotli 0.2.1 esbuild-plugin-eta 0.1.1 esbuild-plugin-httpfile 0.4.1 eslint-config-zeallat-base 1.0.4 generator-meteor-stock 0.1.6 github-action-for-generator 2.1.27 go-template 0.1.8 hover-design-prototype 0.0.5 iron-shield-miniapp 0.0.2 korea-administrative-area-geo-json-util 1.0.7 kwami 1.5.10 manual-billing-system-miniapp-api 1.3.1 n8n-nodes-vercel-ai-sdk 0.1.7 n8n-nodes-viral-app 0.2.5 normal-store 1.3.1 normal-store 1.3.2 open2internet 0.1.1 react-native-use-modal 1.0.3 rollup-plugin-httpfile 0.2.1 shelf-jwt-sessions 0.1.2 shinhan-limit-scrap 1.0.3 test23112222-api 1.0.1 vf-oss-template 1.0.2 vf-oss-template 1.0.1 vite-plugin-httpfile 0.2.1 web-types-htmx 0.1.1 web-types-lit 0.1.1 webpack-loader-httpfile 0.2.1 |
Estimate over 600 packages compromised, with active propagation ongoing.
Known SHA1 Malware Hashes
005cea90675e7d149b4f9ca6b844c33542614cae
008eb1acfe1797ce744628943f9542cf3bf65039
00a59fd56ddac5d2650f89935f32f26354dfbce2
00ea537b0080f4c810e476f69980785d9e09df6
00fd85fbb50729349ebac94b71e03885d9e09df6
Indicators of Compromise (IOCs)
File Artifacts
setup_bun.js
bun_environment.js
Malicious Activity Indicators
- Unexpected creation of new GitHub repositories
- VCS commit activity without user-initiated actions
- Unrecognized npm dependency version bumps in last 12–24 hours
- Outbound requests from build systems to unfamiliar IP ranges
Search for suspicious repos
Developers should search their GitHub with:
“Shai-Hulud: The Second Coming”
Technical Detection Recommendations
YARA-style sample detection

Immediate Response Actions
- Disable automatic dependency updates (renovate, npm audit fix, dependabot)
- Inspect and revert package updates from the last 12 hours
- Rotate cloud service keys and developer tokens
- Check GitHub recent repo creation logs
Freeze production build pipelines
Strategic Threat Intelligence Assessment
This incident marks a turning point in open-source security. The payload chain combines:
- Supply-chain compromise
- Worm-style propagation
- Data theft at scale
- Optional destructive capability
The risk to commercial, enterprise, and government environments is severe, particularly due to reliance on npm for microservices and SaaS deployments.
Conclusion
The Shai-Hulud: The Second Coming campaign represents one of the most dangerous real-world threats the npm ecosystem has ever encountered. Its blend of stealth, automated propagation, massive-scale exfiltration, and destructive capability makes it a priority event requiring immediate response from development, SOC, and DevSecOps teams globally.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.