{
	"id": "753a4217-483b-4a80-a603-bf69ffba60ee",
	"created_at": "2026-04-29T02:21:45.328141Z",
	"updated_at": "2026-04-29T08:22:25.870654Z",
	"deleted_at": null,
	"sha1_hash": "c04989fb103e0e5a87eef46ff1d39d46a7770d75",
	"title": "\"Shai-Hulud\" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108328,
	"plain_text": "\"Shai-Hulud\" Worm Compromises npm Ecosystem in Supply\r\nChain Attack (Updated November 26)\r\nBy Justin Moore\r\nPublished: 2025-11-25 · Archived: 2026-04-29 02:08:33 UTC\r\nExecutive Summary\r\nUpdate: Nov. 25, 2025\r\nUnit 42 researchers investigated a renewed npm-focused compromise, in a campaign dubbed Shai-Hulud 2.0. This\r\nwas first reported in early November 2025. The current campaign is significantly wider in scope, affecting tens of\r\nthousands of GitHub repositories This includes over 25,000 malicious repositories across about 350 unique users.\r\nNotable Differences in November Campaigns\r\nExecution during pre-install dramatically widened the area of impact\r\nThis campaign introduced a far more aggressive fallback mechanism, which could attempt to destroy a\r\nuser’s home directory\r\nNew payload files are named setup_bun.js and bun_environment.js\r\nStolen credentials and secrets are exfiltrated to public GitHub repositories with the repository description:\r\n“Sha1-Hulud: The Second Coming.”\r\nThe Shai-Hulud 2.0 campaign represents an aggressive escalation in software supply chain attacks, moving\r\nbeyond its predecessor's methods by changing the point of infection. By targeting the pre-install phase of software\r\ndependencies, the malware achieves two significant breakthroughs:\r\nIt completely eliminates the need for human interaction, guaranteeing execution on virtually every build\r\nserver processing the infected package\r\nIt effectively bypasses static scanning tools that inspect code during later build stages\r\nWhile this threat still focuses on stealing high-value cloud credentials, it can also cripple an enterprise's entire\r\nCI/CD pipeline. This could disrupt development and potentially lock out internal systems, escalating the attack\r\nfrom simple espionage into a highly disruptive denial-of-service event.\r\nRead the Current Scope of the Attack section for more technical details.\r\nIn September, Unit 42 investigated the novel, self-replicating worm as \"Shai-Hulud,\" responsible for the\r\ncompromise of hundreds of software packages.\r\nThis attack represents a significant evolution in supply chain threats, leveraging automated propagation to achieve\r\nscale. Unit 42 also assesses with moderate confidence that an LLM was used to generate the malicious bash script,\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 1 of 10\n\nbased on inclusion of comments and emojis.\r\nPalo Alto Networks customers are better protected from, and receive mitigations for aspects of this attack, through\r\nvarious products and services, including:\r\nCortex Cloud\r\nPrisma Cloud\r\nAdvanced URL Filtering\r\nAdvanced WildFire\r\nNext-Generation Firewall with Advanced Threat Prevention\r\nThe Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive\r\nassessment to lower your risk.\r\nRelated Unit 42 Topics Supply Chain, Credential Harvesting, Phishing, JavaScript\r\nBackground on npm Packages and the Supply Chain\r\nThe attack may originate from a credential-harvesting phishing campaign spoofing npm and asking developers to\r\n“update” their multi-factor authentication (MFA) login options. Once initial access was gained, the threat actor\r\ndeployed a malicious payload that functions as a worm, initiating a multi-stage attack sequence. Based on the\r\ninclusion of comments and emojis in the bash script, Unit 42 assesses with moderate confidence the threat actor\r\nleveraged LLM to assist in writing the malicious code.\r\nThe malicious package versions contain a worm that executes a post-installation script. This malware scans the\r\ncompromised environment for sensitive credentials, including:\r\n.npmrc files (for npm tokens)\r\nEnvironment variables and configuration files specifically targeting GitHub Personal Access Tokens (PATs)\r\nand API keys for cloud services like:\r\nAmazon Web Services (AWS)\r\nGoogle Cloud Platform (GCP)\r\nMicrosoft Azure\r\nHarvested credentials are exfiltrated to an actor-controlled endpoint. The malware programmatically creates a new\r\npublic GitHub repository named \"Shai-Hulud\" under the victim's account and commits the stolen secrets to it,\r\nexposing them publicly.\r\nUsing the stolen npm token, the malware authenticates to the npm registry as the compromised developer. It then\r\nidentifies other packages maintained by that developer, injects malicious code into them, and publishes the new,\r\ncompromised versions to the registry. This automated process allows the malware to spread exponentially without\r\ndirect actor intervention.\r\nCurrent Scope of the Attack\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 2 of 10\n\nAs of November 2025, there is a a renewed npm-focused compromise in a campaign dubbed “Shai-Hulud 2.0.”\r\nExecution during pre-install (instead of post-install): Dramatically widened the area of impact across\r\ndeveloper machines and continuous integration and continuous delivery (CI/CD) pipelines.\r\nA far more aggressive fallback mechanism: This shifts the tactics from purely data theft to punitive\r\nsabotage. If the malware fails to steal credentials, obtain tokens or secure any exfiltration channel (i.e., it\r\ncannot authenticate to GitHub, create a repository or find GitHub/npm tokens) it attempts to destroy the\r\nvictim’s entire home directory. It does so by securely overwriting and deleting every writable file owned by\r\nthe current user under their home folder.\r\nNew payload files: These are named setup_bun.js and bun_environment.js. The attack disguises itself as a\r\nhelpful Bun installer. The core payload, bun_environment.js, is a massive file (over 10 MB) that uses\r\nextreme obfuscation techniques. It delays full execution on developer machines by forking itself into a\r\ndetached background process. This allows the original install process to exit cleanly, giving the user the\r\nillusion of a normal installation.\r\nSha1-Hulud: Stolen credentials and secrets are exfiltrated to public GitHub repositories with the\r\nrepository description: “Sha1-Hulud: The Second Coming.” It also attempts persistence by creating a\r\nGitHub Actions workflow file named discussion.yaml. This workflow registers the infected machine as a\r\nself-hosted runner and allows attackers to execute arbitrary commands by opening GitHub discussions.\r\nScope of the Attack Before November 2025\r\nThe scope of the compromise is extensive, impacting numerous packages, including the widely used\r\n@ctrl/tinycolor library, which receives millions of weekly downloads.\r\nCredential theft from this campaign can lead directly to compromise of cloud services (such as AWS, Azure,\r\nGCP), leading to data theft from storage buckets, ransomware deployment, cryptomining or deletion of production\r\nenvironments. It may also lead to direct database theft and hijacking of third-party services for phishing.\r\nAdditionally, stolen SSH keys can enable lateral movement within compromised networks.\r\nInterim Guidance\r\n1. Credential Rotation: Immediately rotate all developer credentials. This includes npm access tokens, GitHub\r\nPATs and SSH keys, and all programmatic access keys for cloud and third-party services. Assume that any\r\nsecret present on a developer's machine may have been compromised.\r\n2. Dependency Auditing: Conduct a thorough and immediate audit of all project dependencies. Use tools like\r\nnpm audit to identify vulnerable package versions. Scrutinize your project's package-lock.json or yarn.lock\r\nfiles to ensure you are not using any of the known-compromised packages. Remove or update affected\r\ndependencies immediately.\r\n3. GitHub Account Security Review: All developers should review their GitHub accounts for unrecognized\r\npublic repositories (specifically \"Shai-Hulud\"), suspicious commits or unexpected modifications to GitHub\r\nActions workflows that could establish persistence.\r\n4. Enforce MFA: Ensure that MFA is strictly enforced on all developer accounts, particularly for critical\r\nplatforms like GitHub and npm, to prevent credential abuse.\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 3 of 10\n\nUnit 42 Managed Threat Hunting Queries\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n// Description: Check for connections to any webhook.site domains in raw NGFW URL logs. Optional\r\nfilter for specific URI observed in use by threat actor.\r\ndataset = panw_ngfw_url_raw\r\n| filter lowercase(url_domain) contains \"webhook.site\"\r\n| alter susp_uri = if(uri contains \"bb8ca5f6-4175-45d2-b042-fc9ebb8170b7\")\r\n// Optional filter:\r\n// | filter susp_uri = true\r\n| fields url_domain, uri, susp_uri, *\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n// Description: Check for connections to any webhook.site domains in XDR telemetry. Optional filter for\r\nspecific URI observed in use by threat actor.\r\ndataset = xdr_data\r\n| filter event_type = STORY\r\n| filter lowercase(dst_action_external_hostname) contains \"webhook.site\" or lowercase(dns_query_name)\r\ncontains \"webhook.site\"\r\n| fields agent_hostname, dst_action_external_hostname, dns_query_name\r\n1 // Description: Detect malicious YAML file\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 4 of 10\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\ndataset = xdr_data\r\n| filter event_type = FILE and action_file_name = \"shai-hulud-workflow.yml\" and agent_os_type in\r\n(ENUM.AGENT_OS_MAC, ENUM.AGENT_OS_LINUX)\r\n| fields agent_hostname, actor_effective_username, action_file_name, action_file_path,\r\nactor_process_image_name, actor_process_command_line\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n// Description: Detects Trufflehog usage. Legitimate tool abused by threat actor for secrets discovery.\r\nFalse positives may occur if there is legitimate use.\r\ndataset = xdr_data\r\n| filter event_type = PROCESS and lowercase(action_process_image_command_line) contains\r\n\"trufflehog\"\r\n| fields agent_hostname, actor_effective_username, actor_process_command_line,\r\naction_process_image_command_line\r\nUpdated Queries for November 2025 Campaign\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n// Description: Detect malicious bundle.js, bun_environment.js, and setup_bun.js files\r\npreset = xdr_file\r\n| fields agent_hostname, action_file_name, action_file_path, event_type, event_sub_type,\r\nactor_process_image_name, actor_process_command_line, action_file_sha256\r\n| filter event_type = ENUM.FILE\r\n| filter action_file_sha256 =\r\n\"46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09\" // bundle.js from\r\nSeptember 2025 attack\r\n    or action_file_sha256 in\r\n(\"62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0\",\r\n\"f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068\",\r\n\"cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd\") // bun_environment.js\r\nfrom November 2025 attack\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 5 of 10\n\nor action_file_sha256 =\r\n\"a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a\" // setup_bun.js from\r\nNovember 2025 attack\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n// Description: Detects the unique SHA1HULUD string used in runner creation\r\npreset = xdr_process\r\n| fields agent_hostname, actor_effective_username, action_process_image_name,\r\naction_process_image_path, action_process_image_command_line, actor_process_image_name,\r\nactor_process_image_path, actor_process_command_line, agent_os_type, event_type, event_sub_type\r\n| filter event_type = ENUM.PROCESS\r\n    and event_sub_type = ENUM.PROCESS_START\r\n| filter action_process_image_command_line contains \" --name SHA1HULUD\"\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n// Description: Detects an extremely large (\u003e=9MB) bun_environment.js file. False positives are possible,\r\nbe sure to check action_file_path for the package name and version of any hits.\r\npreset = xdr_file\r\n| fields agent_hostname, action_file_name, action_file_path, action_file_size, event_type,\r\nevent_sub_type, actor_process_image_name, actor_process_command_line, action_file_sha256\r\n| filter event_type = ENUM.FILE\r\n    and event_sub_type = ENUM.FILE_WRITE\r\n| filter action_file_name = \"bun_environment.js\"\r\n    and action_file_size \u003e= 9437184\r\nConclusion\r\nThe Shai-Hulud worm represents a significant escalation in the ongoing series of npm attacks targeting the open-source community. This follows recent incidents such as the s1ngularity/Nx compromise, which involved\r\ncredential theft and exposed private repositories, and a widespread npm phishing campaign observed in September\r\n2024.\r\nIts self-replicating design is particularly notable, effectively combining credential harvesting with an automated\r\ndissemination mechanism that exploits maintainers' existing publishing rights to proliferate across the ecosystem.\r\nFurthermore, we have observed the integration of AI-generated content within the Shai-Hulud campaign, a\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 6 of 10\n\ndevelopment that follows the s1ngularity/Nx attack's explicit weaponization of AI command-line tools for\r\nreconnaissance. This signifies the ever-evolving threat from malicious actors exploiting AI for malicious activity,\r\naccelerating secret sprawl.\r\nThe consistent and refined nature of these attack methodologies underscores a growing threat to open-source\r\nsoftware supply chains. These attacks are propagating at the speed of Continuous Integration and Continuous\r\nDelivery (CI/CD), which poses long-lasting and increasing security challenges for the entire ecosystem.\r\nPalo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nPalo Alto Networks Product Protections and Detections for npm Packages Supply\r\nChain Attacks\r\nPalo Alto Networks customers can leverage a variety of product protections, services and updates designed to\r\nidentify and defend against this threat.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nAdvanced WildFire\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in\r\nlight of indicators associated with this threat.\r\nNext-Generation Firewalls With Advanced Threat Prevention\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attack via\r\nthe following Threat Prevention signatures 87042, 87046 and 87047.\r\nCloud-Delivered Security Services for the Next-Generation Firewall\r\nAdvanced URL Filtering helps to block meddler-in-the-middle (MitM) phishing attacks and classifies as malicious\r\nURLs associated with this activity.\r\nCortex XDR and XSIAM\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 7 of 10\n\nCortex XDR and XSIAM agents help protect against the threats described in this article. The agents prevent the\r\nexecution of known malware and may also prevent the execution of unknown malware using Behavioral Threat\r\nProtection and machine learning based on the Local Analysis module.\r\nCortex Cloud\r\nCortex Cloud offers extensive ASPM and supply chain security capabilities to help identify the vulnerabilities and\r\nmisconfigurations that Shai-Hulud exploits. With real-time SBOM visibility, teams can instantly query their\r\ninventory against known malicious npm packages. The platform's Operational Risk model adds another layer of\r\ndefense by evaluating open-source components based on maintainer activity, deprecation signals, and community\r\nhealth to flag risky packages even without published CVEs.\r\nTo harden pipelines, Cortex Cloud provides out-of-the-box CI/CD rules aligned with OWASP and CIS guidance,\r\nincluding checks for missing npm lock files, insecure “npm install” usage, git-sourced packages without commit\r\nhashes, and unused dependencies that expand the attack surface.\r\nSince CVE publication often lags behind active attacks it’s critical to review and verify that your applications are\r\nnot relying on unsanctioned npm package versions. Together, these controls help ensure malicious versions can’t\r\nsilently enter builds or linger in your environment.\r\nCortex Cloud has published a detailed blog post describing how Cortex Cloud can be used for detecting and\r\npreventing supply chain attacks.\r\nPrisma Cloud\r\nPrisma Cloud can help detect the use of the malicious packages and recognize misconfigurations in the pipelines\r\nthat might lead customers to use untested/unsanctioned OSS package versions. However, the scanner is designed\r\nfor detection of vulnerabilities, license issues and operational risks, and not for detecting malicious code on new\r\npackages. It is important to investigate relevant CI/CD alerts and ensure your applications are not using\r\nunsanctioned versions of npm packages.\r\nIndicators of Compromise\r\n46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09\r\nb74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777\r\ndc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c\r\n4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db\r\nhxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7\r\nAdditional Resources\r\nBreakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk – Palo Alto\r\nNetworks\r\nSha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages\r\nCompromised – StepSecurity\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 8 of 10\n\nShai-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposing Secrets – Blog, Wiz\r\nUpdated Sept. 18, 2025 at 2:25 p.m. PT, to add product protections for Advanced Threat Prevention and update\r\nprotections for Cortex Cloud\r\nUpdated Sept. 19, 2025 at 3:50 p.m. PT, to add product protections for Advanced URL Filtering and update\r\nprotections for Cortex Cloud\r\nUpdated Sept. 23, 2025 at 4:36 p.m. PT, to add additional Threat Prevention signatures \r\nUpdated Nov. 25, 2025 at 8:00 a.m. PT, to update Executive Summary and Scope of Attack sections to include\r\ninformation on second campaign\r\nUpdated Nov. 26, 2025 at 8:10 a.m. PT, to update Managed Threat Hunting queries and Cortex Cloud protection\r\ninformation  \r\nUpdated Dec. 3, 2025 at 5:45 a.m. PT, to update Cortex product protection information  \r\nTable of Contents\r\nExecutive Summary\r\nUpdate: Nov. 25, 2025\r\nNotable Differences in November Campaigns\r\nBackground on npm Packages and the Supply Chain\r\nCurrent Scope of the Attack\r\nScope of the Attack Before November 2025\r\nInterim Guidance\r\nUnit 42 Managed Threat Hunting Queries\r\nUpdated Queries for November 2025 Campaign\r\nConclusion\r\nPalo Alto Networks Product Protections and Detections for npm Packages Supply Chain Attacks\r\nAdvanced WildFire\r\nNext-Generation Firewalls With Advanced Threat Prevention\r\nCloud-Delivered Security Services for the Next-Generation Firewall\r\nCortex XDR and XSIAM\r\nCortex Cloud\r\nPrisma Cloud\r\nIndicators of Compromise\r\nAdditional Resources\r\nRelated Articles\r\nThe npm Threat Landscape: Attack Surface and Mitigations\r\nThreat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)\r\nThreat Brief: Widespread Impact of the Axios Supply Chain Attack\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 9 of 10\n\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nhttps://unit42.paloaltonetworks.com/npm-supply-chain-attack/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/npm-supply-chain-attack/"
	],
	"report_names": [
		"npm-supply-chain-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1777429305,
	"ts_updated_at": 1777450945,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c04989fb103e0e5a87eef46ff1d39d46a7770d75.pdf",
		"text": "https://archive.orkl.eu/c04989fb103e0e5a87eef46ff1d39d46a7770d75.txt",
		"img": "https://archive.orkl.eu/c04989fb103e0e5a87eef46ff1d39d46a7770d75.jpg"
	}
}