A new variant of the Shai-Hulud npm supply chain worm, dubbed 'Sha1-Hulud: The Second Coming,' has compromised over 70 npm packages including those from Zapier and ENS Domains. The attack uses a multi-stage preinstall script that installs the Bun runtime as a dropper, then executes a heavily obfuscated 10MB+ payload that steals GitHub tokens, cloud credentials (AWS/GCP/Azure), npm tokens, and environment variables. Stolen data is exfiltrated to newly created public GitHub repos using the victim's own token. On developer machines, the malware forks itself into a background process to avoid detection. For persistence, it installs a self-hosted GitHub Actions runner named 'SHA1HULUD' and injects a vulnerable workflow exploitable via discussion events. Within 5 hours, over 21,000 public repos were created containing stolen credentials. Remediation steps include rotating all credentials, auditing GitHub accounts for repos with the attack's signature description, and using tools like StepSecurity Harden-Runner to detect anomalous CI/CD behavior.
Table of contents
Technical AnalysisCompromised PackagesImpactImmediate Remediation StepsCreditsConclusionSort: