Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Shai-Hulud Returns 2.0 – Massive Self-Propagating npm Supply-Chain Attack Hits 600 Packages and 100M+ Downloads

Posted on: 01 Dec 2025 | Author: Foresiet

Introduction

The software supply chain has come under assault once again with the resurgence of the Shai-Hulud npm worm—now significantly more advanced, more destructive, and far more widespread. Consequently, what is quickly being described as one of the most serious active threats to the npm ecosystem, the second wave of the Shai-Hulud campaign has compromised at least 600 npm packages, collectively downloaded more than 100 million times.

One of the most alarming aspects of this campaign is its origin point. Specifically, the widely-used @asyncapi/specs package—downloaded more than 1.4 million times per week—was identified as a likely patient zero, enabling rapid global propagation through automated dependency updates across thousands of development and production environments.

This attack therefore underscores a harsh reality: supply-chain malware no longer relies on social engineering or binary droppers. Instead, it weaponizes trusted open-source ecosystems, exploiting developer confidence and dependency automation. This incident highlights the critical need for a robust threat intel platform to proactively track and block malicious dependencies.

Evolution of the Shai-Hulud Worm

Originally discovered in September by independent researchers, the malware has since evolved dramatically. The new version, referred to as “Shai-Hulud: The Second Coming,” introduces several upgrades that increase both stealth and destructive potential.

Key Characteristics of the New Variant

Capability

Description

Self-propagating worm

Automatically infects other packages by the same maintainer

Destruction mode

Deletes user folders containing data under specific conditions

Advanced stealth

Malware injected via preinstall script

Data harvesting

Exfiltrates stolen secrets to attacker-controlled GitHub repositories

Automation

Uses 27,000+ GitHub repos with random naming patterns

New payload files

setup_bun.js and bun_environment.js

Silent Activation Through npm Lifecycle Scripts

The malicious code is embedded via a preinstall hook in package.json, executed automatically when packages are installed or updated:

Silent Activation Through npm Lifecycle Scripts

Because developers commonly enable automated dependency updates and CI pipelines install dependencies silently, the infection chain bypasses user awareness entirely.

Propagation Mechanism

Once a system or development environment is compromised, the worm:

  1. Extracts credentials, OAuth tokens, and environment variables
  2. Uses them to gain access to GitHub accounts
  3. Creates new repositories (over 27,000 so far) to store stolen secrets
  4. Infects additional npm packages published by the compromised maintainer
  5. Self-replicates outward through dependency trees

Additional payload (data destruction routine) activates only under specific triggers—likely time-based or conditional environment checks.

Data Exfiltration & Infrastructure

The stolen data includes:

  • AWS keys
  • GCP credentials
  • npm automation tokens
  • GitHub secrets
  • CI/CD system credentials

Repositories created during exfiltration reportedly contain randomized names and can be identified by the tag:

The Shai-Hulud: The Second Coming campaign represents one of the most dangerous real-world threats the npm ecosystem has ever encountered. Its blend of stealth, automated propagation, massive-scale exfiltration, and destructive capability makes it a priority event requiring immediate response from development, SOC, and DevSecOps teams globally.

Affected npm Packages (Partial List)

Package Name

atrix

@ensdomains/content-hash

@ensdomains/curvearithmetics

@ensdomains/dnssecoraclejs

@ensdomains/durin-middleware

@ensdomains/ens-archived-contracts

@ensdomains/ens-archived-contracts           0.0.3

@ensdomains/ens-avatar       1.0.4

@ensdomains/ens-contracts  1.6.1

@ensdomains/ens-validation 0.1.1

@ensdomains/ensjs    4.0.3

@ensdomains/ensjs-react      0.0.5

@ensdomains/hardhat-toolbox-viem-extended        0.0.6

@ensdomains/name-wrapper            1.0.1

@ensdomains/offchain-resolver-contracts    0.2.2

@ensdomains/react-ens-address       0.0.32

@ensdomains/subdomain-registrar   0.2.4

@ensdomains/unicode-confusables   0.1.1

@ensdomains/unruggable-gateways 0.0.3

@ensdomains/web3modal     1.10.2

@hapheus/n8n-nodes-pgp      1.5.1

@louisle2/core           1.0.1

@louisle2/cortex-js     0.1.6

@markvivanco/app-version-checker 1.0.2

@mcp-use/cli  2.2.7

@mcp-use/inspector  0.6.3

@mcp-use/mcp-use    1.0.2

@mparpaillon/connector-parse         1.0.1

@mparpaillon/imagesloaded 4.1.2

@orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode         2.0.5

@orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode         1.1.1

@orbitgtbelgium/orbit-components  1.2.9

@orbitgtbelgium/time-slider 1.0.187

@trigo/atrix-acl          4.0.2

@trigo/atrix-elasticsearch     2.0.1

@trigo/atrix-orientdb 1.0.2

@trigo/atrix-postgres 1.0.3

@trigo/atrix-pubsub   4.0.3

@trigo/atrix-redis       1.0.2

@trigo/atrix-soap       1.0.2

@trigo/atrix-swagger 3.0.1

@trigo/bool-expressions        4.1.3

@trigo/eslint-config-trigo      3.3.1

@trigo/fsm     3.4.2

@trigo/hapi-auth-signedlink  1.3.1

@trigo/jsdt      0.2.1

@trigo/keycloak-api   1.3.1

@trigo/node-soap       0.5.4

@trigo/pathfinder-ui-css        0.1.1

@trigo/trigo-hapijs     5.0.1

@zapier/ai-actions     0.1.20

@zapier/ai-actions-react        0.1.14

@zapier/ai-actions-react        0.1.13

@zapier/ai-actions-react        0.1.12

@zapier/babel-preset-zapier 6.4.3

@zapier/browserslist-config-zapier   1.0.5

@zapier/eslint-plugin-zapier  11.0.5

@zapier/mcp-integration       3.0.1

@zapier/mcp-integration       3.0.3

@zapier/mcp-integration       3.0.2

@zapier/secret-scrubber        1.1.3

@zapier/secret-scrubber        1.1.4

@zapier/secret-scrubber        1.1.5

@zapier/spectral-api-ruleset 1.9.3

@zapier/stubtree        0.1.3

@zapier/stubtree        0.1.4

@zapier/stubtree        0.1.2

@zapier/zapier-sdk     0.15.7

@zapier/zapier-sdk     0.15.5

@zapier/zapier-sdk     0.15.6

atrix-mongoose           1.0.1

bool expressions         0.1.2

bytecode-checker-cli  1.0.11

claude-token-updater 1.0.3

command-irail 0.5.4

cpu-instructions          0.0.14

create-hardhat3-app  1.1.4

create-mcp-use-app   0.5.4

crypto-addr-codec      0.1.9

devstart-cli      1.0.6

eslint-config-trigo       22.0.2

ethereum-ens 0.8.1

evm-checkcode-cli      1.0.15

exact-ticker     0.3.5

gate-evm-check-code2           2.0.6

gate-evm-tools-test    1.0.8

jan-browser     0.13.1

lite-serper-mcp-server           0.2.2

mcp-use          1.4.3

orbit-boxicons 2.1.3

orbit-nebula-draw-tools          1.0.10

orbit-nebula-editor     1.0.2

orbit-soap        0.43.13

react-component-taggers       0.1.9

react-element-prompt-inspector       0.1.18

react-library-setup      0.0.6

redux-forge     2.5.3

redux-router-kit          1.2.4

skills-use          0.1.2

test-foundry-app         1.0.4

test-hardhat-app         1.0.4

token.js-fork    0.7.32

trigo-react-app           4.1.2

typeorm-orbit 0.2.27

zapier-async-storage  1.0.3

zapier-platform-cli      18.0.4

zapier-platform-cli      18.0.2

zapier-platform-cli      18.0.3

zapier-platform-core  18.0.2

zapier-platform-core  18.0.3

zapier-platform-core  18.0.4

zapier-platform-legacy-scripting-runner       4.0.4

zapier-platform-schema         18.0.3

zapier-platform-schema         18.0.4

zapier-platform-schema         18.0.2

zapier-scripts  7.8.3

zapier-scripts  7.8.4

zuper-cli          1.0.1

zuper-stream  2.0.9

02-echo           0.0.7

@accordproject/concerto-analysis    3.24.1

@accordproject/concerto-linter        3.24.1

@accordproject/concerto-linter-default-ruleset       3.24.1

@accordproject/concerto-metamodel          3.12.5

@accordproject/concerto-types         3.24.1

@accordproject/markdown-it-cicero 0.16.26

@accordproject/template-engine      2.7.2

@actbase/css-to-react-native-transform       1.0.3

@actbase/native         0.1.32

@actbase/node-server           1.1.19

@actbase/react-absolute       0.8.3

@actbase/react-daum-postcode        1.0.5

@actbase/react-kakaosdk      0.9.27

@actbase/react-native-actionsheet   1.0.3

@actbase/react-native-devtools        0.1.3

@actbase/react-native-fast-image    8.5.13

@actbase/react-native-kakao-channel          1.0.2

@actbase/react-native-kakao-navi    2.0.4

@actbase/react-native-less-transformer       1.0.6

@actbase/react-native-naver-login   1.0.1

@actbase/react-native-simple-video 1.0.13

@actbase/react-native-tiktok 1.1.3

@alaan/s2s-auth         2.0.3

@alexcolls/nuxt-socket.io       0.0.7

@alexcolls/nuxt-ux     0.6.1

@aryanhussain/my-angular-lib          0.0.23

@asyncapi/avro-schema-parser        3.0.26

@asyncapi/bundler     0.6.6

@asyncapi/cli 4.1.3

@asyncapi/converter 1.6.4

@asyncapi/diff            0.5.2

@asyncapi/dotnet-rabbitmq-template          1.0.2

@asyncapi/edavisualiser        1.2.2

@asyncapi/generator 2.8.6

@asyncapi/generator-components    0.3.3

@asyncapi/generator-helpers            0.2.2

@asyncapi/generator-react-sdk         1.1.5

@asyncapi/go-watermill-template    0.2.77

@asyncapi/html-template      3.3.3

@asyncapi/java-spring-cloud-stream-template        0.13.6

@asyncapi/java-spring-template       1.6.2

@asyncapi/java-template      0.3.6

@asyncapi/keeper      0.0.3

@asyncapi/markdown-template        1.6.9

@asyncapi/modelina  5.10.3

@asyncapi/modelina-cli         5.10.3

@asyncapi/multi-parser         2.2.2

@asyncapi/nodejs-template   3.0.6

@asyncapi/nodejs-ws-template         0.10.2

@asyncapi/nunjucks-filters    2.1.2

@asyncapi/openapi-schema-parser   3.0.26

@asyncapi/optimizer  1.0.6

@asyncapi/parser       3.4.2

@asyncapi/php-template       0.1.2

@asyncapi/problem   1.0.2

@asyncapi/protobuf-schema-parser  3.5.3

@asyncapi/python-paho-template     0.2.15

@asyncapi/react-component 2.6.7

@asyncapi/server-api 0.16.25

@asyncapi/specs        6.8.3

@asyncapi/studio       1.0.3

@asyncapi/web-component   2.6.7

@caretive/caret-cli    0.0.2

@clausehq/flows-step-httprequest    0.1.14

@clausehq/flows-step-jsontoxml       0.1.14

@clausehq/flows-step-mqtt   0.1.14

@clausehq/flows-step-sendgridemail            0.1.14

@clausehq/flows-step-taskscreateurl            0.1.14

@commute/bloom     1.0.3

@commute/market-data       1.0.2

@commute/market-data-chartjs       2.3.1

@dev-blinq/ai-qa-logic           1.0.19

@dev-blinq/blinqioclient        1.0.21

@dev-blinq/cucumber-js        1.0.131

@dev-blinq/cucumber_client 1.0.738

@dev-blinq/ui-systems           1.0.93

@ensdomains/address-encoder         1.1.5

@ensdomains/blacklist           1.0.1

@ensdomains/buffer  0.1.2

@ensdomains/ccip-read-cf-worker    0.0.4

@ensdomains/ccip-read-dns-gateway           0.1.1

@ensdomains/ccip-read-router         0.0.7

@ensdomains/ccip-read-worker-viem           0.0.4

@ensdomains/cypress-metamask      1.2.1

@ensdomains/dnsprovejs       0.5.3

@ensdomains/dnssec-oracle-anchors            0.0.2

@ensdomains/durin   0.1.2

@ensdomains/ens-test-env    1.0.2

@ensdomains/eth-ens-namehash      2.0.16

@ensdomains/hackathon-registrar    1.0.5

@ensdomains/hardhat-chai-matchers-viem 0.1.15

@ensdomains/mock   2.1.52

@ensdomains/op-resolver-contracts 0.0.2

@ensdomains/renewal           0.0.13

@ensdomains/renewal-widget          0.1.10

@ensdomains/reverse-records          1.0.1

@ensdomains/server-analytics          0.0.2

@ensdomains/solsha1            0.0.4

@ensdomains/test-utils          1.3.1

@ensdomains/thorin  0.6.51

@ensdomains/ui         3.4.6

@ensdomains/vite-plugin-i18next-loader      4.0.4

@everreal/react-charts          2.0.1

@everreal/react-charts          2.0.2

@everreal/validate-esmoduleinterop-imports          1.4.5

@everreal/validate-esmoduleinterop-imports          1.4.4

@everreal/web-analytics       0.0.2

@everreal/web-analytics       0.0.1

@ifelsedeveloper/protocol-contracts-svm-idl           0.1.2

@ifings/design-system           4.9.2

@ifings/metatron3     0.1.5

@kvytech/cli   0.0.7

@kvytech/components           0.0.2

@kvytech/habbit-e2e-test      0.0.2

@kvytech/medusa-plugin-announcement     0.0.8

@kvytech/medusa-plugin-management        0.0.5

@kvytech/medusa-plugin-newsletter            0.0.5

@kvytech/medusa-plugin-product-reviews   0.0.9

@kvytech/medusa-plugin-promotion             0.0.2

@kvytech/web            0.0.2

@lessondesk/api-client           9.12.2

@lessondesk/api-client           9.12.3

@lessondesk/babel-preset     1.0.1

@lessondesk/electron-group-api-client         1.0.3

@lessondesk/eslint-config      1.4.2

@lessondesk/material-icons  1.0.3

@lessondesk/react-table-context       2.0.4

@lessondesk/schoolbus          5.2.3

@lessondesk/schoolbus          5.2.2

@lpdjs/firestore-repo-service            1.0.1

@markvivanco/app-version-checker 1.0.1

@mcp-use/cli  2.2.6

@mcp-use/inspector  0.6.2

@mcp-use/mcp-use    1.0.1

@mparpaillon/page   1.0.1

@ntnx/passport-wso2             0.0.3

@ntnx/t           0.0.101

@osmanekrem/bmad 1.0.6

@osmanekrem/error-handler            1.2.2

@posthog/agent         1.24.1

@posthog/ai   7.1.2

@posthog/automatic-cohorts-plugin 0.0.8

@posthog/bitbucket-release-tracker 0.0.8

@posthog/cli   0.5.15

@posthog/clickhouse  1.7.1

@posthog/core           1.5.6

@posthog/currency-normalization-plugin     0.0.8

@posthog/customerio-plugin             0.0.8

@posthog/databricks-plugin  0.0.8

@posthog/drop-events-on-property-plugin   0.0.8

@posthog/event-sequence-timer-plugin       0.0.8

@posthog/filter-out-plugin     0.0.8

@posthog/first-time-event-tracker    0.0.8

@posthog/geoip-plugin          0.0.8

@posthog/github-release-tracking-plugin     0.0.8

@posthog/gitub-star-sync-plugin       0.0.8

@posthog/heartbeat-plugin   0.0.8

@posthog/hedgehog-mode    0.0.42

@posthog/icons          0.36.1

@posthog/ingestion-alert-plugin       0.0.8

@posthog/intercom-plugin    0.0.8

@posthog/kinesis-plugin        0.0.8

@posthog/laudspeaker-plugin           0.0.8

@posthog/lemon-ui    0.0.1

@posthog/maxmind-plugin    0.1.6

@posthog/migrator3000-plugin         0.0.8

@posthog/netdata-event-processing             0.0.8

@posthog/nextjs         0.0.3

@posthog/nextjs-config          1.5.1

@posthog/nuxt           1.2.9

@posthog/pagerduty-plugin   0.0.8

@posthog/piscina       3.2.1

@posthog/plugin-contrib        0.0.6

@posthog/plugin-server         1.10.8

@posthog/plugin-unduplicates           0.0.8

@posthog/postgres-plugin     0.0.8

@posthog/react-rrweb-player           1.1.4

@posthog/rrdom        0.0.31

@posthog/rrweb         0.0.31

@posthog/rrweb-player         0.0.31

@posthog/rrweb-record         0.0.31

@posthog/rrweb-replay         0.0.19

@posthog/rrweb-snapshot     0.0.31

@posthog/rrweb-utils             0.0.31

@posthog/sendgrid-plugin     0.0.8

@posthog/siphash      1.1.2

@posthog/snowflake-export-plugin   0.0.8

@posthog/taxonomy-plugin   0.0.8

@posthog/twilio-plugin          0.0.8

@posthog/twitter-followers-plugin    0.0.8

@posthog/url-normalizer-plugin        0.0.8

@posthog/variance-plugin     0.0.8

@posthog/web-dev-server     1.0.5

@posthog/wizard        1.18.1

@posthog/zendesk-plugin      0.0.8

@postman/aether-icons         2.23.3

@postman/aether-icons         2.23.2

@postman/aether-icons         2.23.4

@postman/csv-parse  4.0.4

@postman/csv-parse  4.0.5

@postman/csv-parse  4.0.3

@postman/final-node-keytar 7.9.1

@postman/final-node-keytar 7.9.2

@postman/final-node-keytar 7.9.3

@postman/mcp-ui-client        5.5.1

@postman/mcp-ui-client        5.5.3

@postman/mcp-ui-client        5.5.2

@postman/node-keytar          7.9.4

@postman/node-keytar          7.9.5

@postman/node-keytar          7.9.6

@postman/pm-bin-linux-x64  1.24.5

@postman/pm-bin-linux-x64  1.24.3

@postman/pm-bin-linux-x64  1.24.4

@postman/pm-bin-macos-arm64      1.24.3

@postman/pm-bin-macos-arm64      1.24.5

@postman/pm-bin-macos-arm64      1.24.4

@postman/pm-bin-macos-x64           1.24.5

@postman/pm-bin-macos-x64           1.24.4

@postman/pm-bin-macos-x64           1.24.3

@postman/pm-bin-windows-x64       1.24.3

@postman/pm-bin-windows-x64       1.24.4

@postman/pm-bin-windows-x64       1.24.5

@postman/postman-collection-fork  4.3.3

@postman/postman-collection-fork  4.3.4

@postman/postman-collection-fork  4.3.5

@postman/postman-mcp-cli  1.0.5

@postman/postman-mcp-cli  1.0.4

@postman/postman-mcp-cli  1.0.3

@postman/postman-mcp-server       2.4.11

@postman/postman-mcp-server       2.4.10

@postman/postman-mcp-server       2.4.12

@postman/pretty-ms 6.1.2

@postman/pretty-ms 6.1.1

@postman/pretty-ms 6.1.3

@postman/secret-scanner-wasm      2.1.2

@postman/secret-scanner-wasm      2.1.3

@postman/secret-scanner-wasm      2.1.4

@postman/tunnel-agent        0.6.7

@postman/tunnel-agent        0.6.5

@postman/tunnel-agent        0.6.6

@postman/wdio-allure-reporter        0.0.9

@postman/wdio-allure-reporter        0.0.8

@postman/wdio-allure-reporter        0.0.7

@postman/wdio-junit-reporter          0.0.6

@postman/wdio-junit-reporter          0.0.4

@postman/wdio-junit-reporter          0.0.5

@relyt/claude-context-core   0.1.1

@relyt/claude-context-mcp   0.1.1

@relyt/mcp-server-relytone  0.0.3

@seung-ju/next          0.0.2

@seung-ju/openapi-generator           0.0.4

@seung-ju/react-hooks          0.0.2

@seung-ju/react-native-action-sheet            0.2.1

@thedelta/eslint-config          1.0.2

@tiaanduplessis/json  2.0.2

@tiaanduplessis/json  2.0.3

@tiaanduplessis/react-progressbar   1.0.2

@tiaanduplessis/react-progressbar   1.0.1

@trefox/sleekshop-js  0.1.6

@trigo/atrix    7.0.1

@trigo/atrix-mongoose          1.0.2

@varsityvibe/api-client          1.3.37

@varsityvibe/api-client          1.3.36

@varsityvibe/utils       5.0.6

@varsityvibe/validation-schemas      0.6.8

@varsityvibe/validation-schemas      0.6.7

@zapier/ai-actions     0.1.19

@zapier/ai-actions     0.1.18

@zapier/babel-preset-zapier 6.4.2

@zapier/babel-preset-zapier 6.4.1

@zapier/browserslist-config-zapier   1.0.3

@zapier/browserslist-config-zapier   1.0.4

@zapier/eslint-plugin-zapier  11.0.4

@zapier/eslint-plugin-zapier  11.0.3

@zapier/spectral-api-ruleset 1.9.2

@zapier/spectral-api-ruleset 1.9.1

asyncapi-preview        1.0.2

automation_model     1.0.491

axios-cancelable         1.0.2

axios-cancelable         1.0.1

axios-timed     1.0.1

axios-timed     1.0.2

barebones-css 1.1.4

barebones-css 1.1.3

blinqio-executions-cli  1.0.41

blob-to-base64            1.0.3

bytecode-checker-cli  1.0.9

bytecode-checker-cli  1.0.8

bytecode-checker-cli  1.0.10

bytes-to-x        1.0.1

calc-loan-interest        1.0.4

capacitor-plugin-apptrackingios         0.0.21

capacitor-plugin-purchase      0.1.1

capacitor-plugin-scgssigninwithgoogle          0.0.5

capacitor-purchase-history     0.0.10

capacitor-voice-recorder-wav 6.0.3

chrome-extension-downloads            0.0.3

coinmarketcap-api      3.1.3

coinmarketcap-api      3.1.2

colors-regex    2.0.1

compare-obj   1.1.2

compare-obj   1.1.1

count-it-down  1.0.1

count-it-down  1.0.2

create-glee-app          0.2.3

create-hardhat3-app  1.1.3

create-hardhat3-app  1.1.1

create-hardhat3-app  1.1.2

create-mcp-use-app   0.5.3

css-dedoupe    0.1.2

designstudiouiux         1.0.1

discord-bot-server      0.1.2

don’t go           1.1.2

dotnet-template          0.0.4

drop-events-on-property-plugin         0.0.2

email-deliverability-tester      1.1.1

enforce-branch-name 1.1.3

eslint-config-nitpicky  4.0.1

evm-checkcode-cli      1.0.12

evm-checkcode-cli      1.0.13

evm-checkcode-cli      1.0.14

expo-audio-session     0.2.1

expressos        1.1.3

fat-fingered     1.0.1

fat-fingered     1.0.2

feature-flip      1.0.1

feature-flip      1.0.2

firestore-search-engine          1.2.3

fittxt    1.0.3

fittxt    1.0.2

flapstacks        1.0.1

flapstacks        1.0.2

flatten-unflatten         1.0.1

flatten-unflatten         1.0.2

formik-error-focus      2.0.1

formik-store    1.0.1

fuzzy-finder     1.0.6

fuzzy-finder     1.0.5

gate-evm-check-code2           2.0.5

gate-evm-check-code2           2.0.3

gate-evm-check-code2           2.0.4

gate-evm-tools-test    1.0.7

gate-evm-tools-test    1.0.5

gate-evm-tools-test    1.0.6

gatsby-plugin-cname  1.0.2

gatsby-plugin-cname  1.0.1

generator-ng-itobuz    0.0.15

get-them-args 1.3.3

github-action-for-generator   2.1.28

gitsafe 1.0.5

go-template    0.1.9

gulp-inject-envs          1.2.2

gulp-inject-envs          1.2.1

haufe-axera-api-client 0.0.1

haufe-axera-api-client 0.0.2

hope-mapboxdraw      0.1.1

hopedraw        1.0.3

httpness           1.0.3

httpness           1.0.2

hyper-fullfacing          1.0.3

hyperterm-hipster      1.0.7

image-to-uri    1.0.2

image-to-uri    1.0.1

invo     0.2.2

ito-button        8.0.3

itobuz-angular 0.0.1

itobuz-angular-auth    8.0.11

itobuz-angular-button 8.0.11

jacob-zuma     1.0.2

jacob-zuma     1.0.1

jquery-bindings           1.1.3

jquery-bindings           1.1.2

just-toasty       1.7.1

kill port            2.0.3

kill port            2.0.2

kwami 1.5.9

lang-codes       1.0.1

lang-codes       1.0.2

license-o-matic           1.2.2

license-o-matic           1.2.1

lint-staged-imagemin 1.3.1

lint-staged-imagemin 1.3.2

luno-api           1.2.3

mcp-use          1.4.2

medusa-plugin-announcement           0.0.3

medusa-plugin-logs    0.0.17

medusa-plugin-momo 0.0.68

medusa-plugin-product-reviews-kvy  0.0.4

medusa-plugin-zalopay           0.0.40

mod10-check-digit      1.0.1

mon-package-react-typescript           1.0.1

n8n-nodes-tmdb          0.5.1

nanoreset        7.0.2

nanoreset        7.0.1

next-circular-dependency       1.0.2

next-circular-dependency       1.0.3

next-simple-google-analytics 1.1.2

next-simple-google-analytics 1.1.1

next-styled-nprogress 1.0.4

next-styled-nprogress 1.0.5

ngx-useful-swiper-prosenjit    9.0.2

ngx-wooapi     12.0.1

obj-to-css         1.0.2

obj-to-css         1.0.3

okta-react-router-6     5.0.1

orchestra         12.1.2

package-tester            1.0.1

parcel-plugin-asset-copier      1.1.3

parcel-plugin-asset-copier      1.1.2

pdf annotation            0.0.2

piclite  1.0.1

pico-uid           1.0.4

pico-uid           1.0.3

pkg-readme    1.1.1

poper-react-sdk          0.1.2

posthog-docusaurus    2.0.6

posthog-js        1.297.3

posthog-node  5.13.3

posthog-node  4.18.1

posthog-node  5.11.3

posthog-plugin-hello-world    1.0.1

posthog-react-native  4.12.5

posthog-react-native  4.11.1

posthog-react-native-session-replay  1.2.2

prime-one-table          0.0.19

prompt-eng     1.0.50

prompt-eng-server     1.0.18

puny-req          1.0.3

ra-auth-firebase          1.0.3

ra-data-firebase          1.0.7

ra-data-firebase          1.0.8

react-favic       1.0.2

react-hook-form-persist         3.0.2

react-hook-form-persist         3.0.1

react-jam-icons           1.0.2

react-jam-icons           1.0.1

react-keycloak-context           1.0.8

react-keycloak-context           1.0.9

react-linear-loader     1.0.2

react-micromodal.js   1.0.2

react-micromodal.js   1.0.1

react-native-datepicker-modal          1.3.2

react-native-datepicker-modal          1.3.1

react-native-email      2.1.1

react-native-email      2.1.2

react-native-fetch       2.0.1

react-native-fetch       2.0.2

react-native-get-pixel-dimensions     1.0.2

react-native-get-pixel-dimensions     1.0.1

react-native-google-maps-directions 2.1.2

react-native-jam-icons           1.0.1

react-native-jam-icons           1.0.2

react-native-log-level 1.2.1

react-native-log-level 1.2.2

react-native-modest-checkbox           3.3.1

react-native-modest-storage  2.1.1

react-native-phone-call          1.2.1

react-native-phone-call          1.2.2

react-native-retriable-fetch   2.0.1

react-native-retriable-fetch   2.0.2

react-native-view-finder         1.2.1

react-native-view-finder         1.2.2

react-native-websocket          1.0.3

react-native-websocket          1.0.4

react-native-worklet-functions           3.3.3

react-qr-image           1.1.1

redux-router-kit          1.2.2

redux-router-kit          1.2.3

sa-company-registration-number-regex        1.0.1

sa-company-registration-number-regex        1.0.2

sa-id-gen         1.0.5

sa-id-gen         1.0.4

samesame       1.0.3

scgs-capacitor-subscribe        1.0.11

scgsffcreator   1.0.5

selenium-session         1.0.5

selenium-session-client          1.0.4

set-nested-prop           2.0.1

set-nested-prop           2.0.2

shell-exec        1.1.4

shell-exec        1.1.3

skills-use          0.1.1

sort-by-distance          2.0.1

south-african-id-info   1.0.2

stat-fns            1.0.1

stoor    2.3.2

super-commit 1.0.1

svelte-autocomplete-select    1.1.1

svelte-toasty    1.1.2

svelte-toasty    1.1.3

tanstack-shadcn-table 1.1.5

tcsp      2.0.2

tcsp-draw-test 1.0.5

tcsp-test-vd     2.4.4

template-lib    1.1.3

template-lib    1.1.4

template-micro-service          1.0.2

template-micro-service          1.0.3

tenacious-fetch           2.3.3

tenacious-fetch           2.3.2

test-foundry-app         1.0.1

test-foundry-app         1.0.2

test-foundry-app         1.0.3

test-hardhat-app         1.0.3

test-hardhat-app         1.0.1

test-hardhat-app         1.0.2

tiaan    1.0.2

typefence        1.2.2

typefence        1.2.3

undefsafe-typed          1.0.4

undefsafe-typed          1.0.3

uplandui          0.5.4

upload-to-play-store   1.0.1

upload-to-play-store   1.0.2

url-encode-decode      1.0.2

url-encode-decode      1.0.1

use-unsaved-changes  1.0.9

valid-south-african-id 1.0.3

web-scraper-mcp        1.1.4

wellness-expert-ng-gallery     5.1.1

wenk    1.0.10

wenk    1.0.9

zapier-async-storage  1.0.2

zapier-async-storage  1.0.1

zapier-platform-legacy-scripting-runner       4.0.2

zapier-platform-legacy-scripting-runner       4.0.3

zuper-sdk         1.0.57

@alexcolls/nuxt-socket.io       0.0.8

@alexcolls/nuxt-ux     0.6.2

@antstackio/eslint-config-antstack    0.0.3

@antstackio/express-graphql-proxy  0.2.8

@antstackio/graphql-body-parser     0.1.1

@antstackio/json-to-graphql  1.0.3

@antstackio/shelbysam          1.1.7

@asyncapi/avro-schema-parser        3.0.25

@asyncapi/bundler     0.6.5

@asyncapi/cli 4.1.2

@asyncapi/converter 1.6.3

@asyncapi/diff            0.5.1

@asyncapi/dotnet-rabbitmq-template          1.0.1

@asyncapi/edavisualiser        1.2.1

@asyncapi/generator 2.8.5

@asyncapi/generator-components    0.3.2

@asyncapi/generator-helpers            0.2.1

@asyncapi/generator-react-sdk         1.1.4

@asyncapi/go-watermill-template    0.2.76

@asyncapi/html-template      3.3.2

@asyncapi/java-spring-cloud-stream-template        0.13.5

@asyncapi/java-spring-template       1.6.1

@asyncapi/java-template      0.3.5

@asyncapi/keeper      0.0.2

@asyncapi/markdown-template        1.6.8

@asyncapi/modelina  5.10.2

@asyncapi/modelina-cli         5.10.2

@asyncapi/multi-parser         2.2.1

@asyncapi/nodejs-template   3.0.5

@asyncapi/nodejs-ws-template         0.10.1

@asyncapi/nunjucks-filters    2.1.1

@asyncapi/openapi-schema-parser   3.0.25

@asyncapi/optimizer  1.0.5

@asyncapi/parser       3.4.1

@asyncapi/php-template       0.1.1

@asyncapi/problem   1.0.1

@asyncapi/protobuf-schema-parser  3.5.2

@asyncapi/protobuf-schema-parser  3.6.1

@asyncapi/python-paho-template     0.2.14

@asyncapi/react-component 2.6.6

@asyncapi/server-api 0.16.24

@asyncapi/specs        6.9.1

@asyncapi/specs        6.10.1

@asyncapi/specs        6.8.2

@asyncapi/studio       1.0.2

@asyncapi/web-component   2.6.6

@faq-component/core           0.0.4

@faq-component/react          1.0.1

@fishingbooker/browser-sync-plugin            1.0.5

@fishingbooker/react-loader 1.0.7

@fishingbooker/react-pagination      2.0.6

@fishingbooker/react-raty     2.0.1

@fishingbooker/react-swiper 0.1.5

@hover-design/core   0.0.1

@hover-design/react  0.2.1

@pradhumngautam/common-app    1.0.2

@pruthvi21/use-debounce     1.0.3

@quick-start-soft/quick-document-translator           1.4.2511142126

@quick-start-soft/quick-git-clean-markdown            1.4.2511142126

@quick-start-soft/quick-markdown    1.4.2511142126

@quick-start-soft/quick-markdown-compose            1.4.2506300029

@quick-start-soft/quick-markdown-image    1.4.2511142126

@quick-start-soft/quick-markdown-print       1.4.2511142126

@quick-start-soft/quick-markdown-translator          1.4.2509202331

@quick-start-soft/quick-remove-image-background 1.4.2511142126

@quick-start-soft/quick-task-refine   1.4.2511142126

@seezo/sdr-mcp-server         0.0.5

@sme-ui/aoma-vevasound-metadata-lib      0.1.3

@strapbuild/react-native-date-time-picker   2.0.4

@strapbuild/react-native-perspective-image-cropper          0.4.15

@strapbuild/react-native-perspective-image-cropper-2      0.4.7

@strapbuild/react-native-perspective-image-cropper-poojan31     0.4.6

@suraj_h/medium-common  1.0.5

@trpc-rate-limiter/cloudflare 0.1.4

@trpc-rate-limiter/hono        0.1.4

@voiceflow/alexa-types         2.15.61

@voiceflow/alexa-types         2.15.60

@voiceflow/anthropic            0.4.5

@voiceflow/anthropic            0.4.4

@voiceflow/api-sdk    3.28.58

@voiceflow/api-sdk    3.28.59

@voiceflow/backend-utils      5.0.1

@voiceflow/backend-utils      5.0.2

@voiceflow/base-types          2.136.2

@voiceflow/base-types          2.136.3

@voiceflow/body-parser        1.21.3

@voiceflow/body-parser        1.21.2

@voiceflow/chat-types           2.14.59

@voiceflow/chat-types           2.14.58

@voiceflow/circleci-config-sdk-orb-import   0.2.1

@voiceflow/circleci-config-sdk-orb-import   0.2.2

@voiceflow/commitlint-config           2.6.1

@voiceflow/commitlint-config           2.6.2

@voiceflow/common 8.9.2

@voiceflow/common 8.9.1

@voiceflow/default-prompt-wrappers          1.7.4

@voiceflow/default-prompt-wrappers          1.7.3

@voiceflow/dependency-cruiser-config        1.8.12

@voiceflow/dependency-cruiser-config        1.8.11

@voiceflow/dtos-interact       1.40.1

@voiceflow/dtos-interact       1.40.2

@voiceflow/encryption          0.3.3

@voiceflow/encryption          0.3.2

@voiceflow/eslint-config        7.16.4

@voiceflow/eslint-config        7.16.5

@voiceflow/eslint-plugin        1.6.1

@voiceflow/eslint-plugin        1.6.2

@voiceflow/exception            1.10.2

@voiceflow/exception            1.10.1

@voiceflow/fetch       1.11.2

@voiceflow/fetch       1.11.1

@voiceflow/general-types     3.2.22

@voiceflow/general-types     3.2.23

@voiceflow/git-branch-check 1.4.4

@voiceflow/git-branch-check 1.4.3

@voiceflow/google-dfes-types           2.17.13

@voiceflow/google-dfes-types           2.17.12

@voiceflow/google-types       2.21.12

@voiceflow/google-types       2.21.13

@voiceflow/husky-config       1.3.1

@voiceflow/husky-config       1.3.2

@voiceflow/logger     2.4.3

@voiceflow/logger     2.4.2

@voiceflow/metrics   1.5.2

@voiceflow/metrics   1.5.1

@voiceflow/natural-language-commander   0.5.2

@voiceflow/natural-language-commander   0.5.3

@voiceflow/nestjs-common   2.75.2

@voiceflow/nestjs-common   2.75.3

@voiceflow/nestjs-mongodb  1.3.1

@voiceflow/nestjs-mongodb  1.3.2

@voiceflow/nestjs-rate-limit  1.3.3

@voiceflow/nestjs-rate-limit  1.3.2

@voiceflow/nestjs-redis         1.3.1

@voiceflow/nestjs-redis         1.3.2

@voiceflow/nestjs-timeout    1.3.1

@voiceflow/nestjs-timeout    1.3.2

@voiceflow/npm-package-json-lint-config    1.1.1

@voiceflow/npm-package-json-lint-config    1.1.2

@voiceflow/openai     3.2.3

@voiceflow/openai     3.2.2

@voiceflow/pino         6.11.3

@voiceflow/pino         6.11.4

@voiceflow/pino-pretty          4.4.2

@voiceflow/pino-pretty          4.4.1

@voiceflow/prettier-config    1.10.1

@voiceflow/prettier-config    1.10.2

@voiceflow/react-chat           1.65.4

@voiceflow/react-chat           1.65.3

@voiceflow/runtime   1.29.1

@voiceflow/runtime   1.29.2

@voiceflow/runtime-client-js 1.17.2

@voiceflow/runtime-client-js 1.17.3

@voiceflow/sdk-runtime        1.43.1

@voiceflow/sdk-runtime        1.43.2

@voiceflow/secrets-provider 1.9.2

@voiceflow/secrets-provider 1.9.3

@voiceflow/semantic-release-config 1.4.1

@voiceflow/semantic-release-config 1.4.2

@voiceflow/serverless-plugin-typescript       2.1.7

@voiceflow/serverless-plugin-typescript       2.1.8

@voiceflow/slate-serializer    1.7.3

@voiceflow/slate-serializer    1.7.4

@voiceflow/stitches-react      2.3.3

@voiceflow/stitches-react      2.3.2

@voiceflow/storybook-config             1.2.2

@voiceflow/storybook-config             1.2.3

@voiceflow/stylelint-config    1.1.1

@voiceflow/stylelint-config    1.1.2

@voiceflow/test-common      2.1.2

@voiceflow/test-common      2.1.1

@voiceflow/tsconfig   1.12.2

@voiceflow/tsconfig   1.12.1

@voiceflow/tsconfig-paths     1.1.5

@voiceflow/tsconfig-paths     1.1.4

@voiceflow/utils-designer      1.74.19

@voiceflow/utils-designer      1.74.20

@voiceflow/verror     1.1.4

@voiceflow/verror     1.1.5

@voiceflow/vite-config          2.6.3

@voiceflow/vite-config          2.6.2

@voiceflow/vitest-config        1.10.3

@voiceflow/vitest-config        1.10.2

@voiceflow/voice-types         2.10.59

@voiceflow/voice-types         2.10.58

@voiceflow/voiceflow-types  3.32.45

@voiceflow/voiceflow-types  3.32.46

@voiceflow/widget     1.7.19

@voiceflow/widget     1.7.18

ai-crowl-shield 1.0.7

arc-cli-fc          1.0.1

asyncapi-preview        1.0.1

axios-builder   1.2.1

benmostyn-frame-print          1.0.1

bidirectional adapter  1.2.3

bidirectional adapter  1.2.2

bun-plugin-httpfile      0.1.1

chrome-extension-downloads            0.0.4

composite reducer     1.0.2

composite reducer     1.0.3

create-glee-app          0.2.2

dashboard-empty-state          1.0.3

dialogflow-es  1.1.1

dialogflow-es  1.1.2

docusaurus-plugin-vanilla-extract      1.0.3

dotnet-template          0.0.3

esbuild-plugin-brotli   0.2.1

esbuild-plugin-eta       0.1.1

esbuild-plugin-httpfile            0.4.1

eslint-config-zeallat-base       1.0.4

generator-meteor-stock         0.1.6

github-action-for-generator   2.1.27

go-template    0.1.8

hover-design-prototype          0.0.5

iron-shield-miniapp    0.0.2

korea-administrative-area-geo-json-util        1.0.7

kwami 1.5.10

manual-billing-system-miniapp-api   1.3.1

n8n-nodes-vercel-ai-sdk         0.1.7

n8n-nodes-viral-app    0.2.5

normal-store   1.3.1

normal-store   1.3.2

open2internet 0.1.1

react-native-use-modal          1.0.3

rollup-plugin-httpfile  0.2.1

shelf-jwt-sessions        0.1.2

shinhan-limit-scrap     1.0.3

test23112222-api        1.0.1

vf-oss-template           1.0.2

vf-oss-template           1.0.1

vite-plugin-httpfile      0.2.1

web-types-htmx          0.1.1

web-types-lit   0.1.1

webpack-loader-httpfile         0.2.1

Estimate over 600 packages compromised, with active propagation ongoing.

Known SHA1 Malware Hashes

005cea90675e7d149b4f9ca6b844c33542614cae

008eb1acfe1797ce744628943f9542cf3bf65039

00a59fd56ddac5d2650f89935f32f26354dfbce2

00ea537b0080f4c810e476f69980785d9e09df6

00fd85fbb50729349ebac94b71e03885d9e09df6

Indicators of Compromise (IOCs)

File Artifacts

setup_bun.js

bun_environment.js

Malicious Activity Indicators

  • Unexpected creation of new GitHub repositories
  • VCS commit activity without user-initiated actions
  • Unrecognized npm dependency version bumps in last 12–24 hours
  • Outbound requests from build systems to unfamiliar IP ranges

Search for suspicious repos

Developers should search their GitHub with:

Shai-Hulud: The Second Coming”

Technical Detection Recommendations

YARA-style sample detection

YARA-style sample detection

Immediate Response Actions

  • Disable automatic dependency updates (renovate, npm audit fix, dependabot)
  • Inspect and revert package updates from the last 12 hours
  • Rotate cloud service keys and developer tokens
  • Check GitHub recent repo creation logs

Freeze production build pipelines

Strategic Threat Intelligence Assessment

This incident marks a turning point in open-source security. The payload chain combines:

  • Supply-chain compromise
  • Worm-style propagation
  • Data theft at scale
  • Optional destructive capability

The risk to commercial, enterprise, and government environments is severe, particularly due to reliance on npm for microservices and SaaS deployments.

Conclusion

The Shai-Hulud: The Second Coming campaign represents one of the most dangerous real-world threats the npm ecosystem has ever encountered. Its blend of stealth, automated propagation, massive-scale exfiltration, and destructive capability makes it a priority event requiring immediate response from development, SOC, and DevSecOps teams globally.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.