On November 24, 2025, researchers identified a renewed supply-chain attack linked to Shai-Hulud malware, revealing that numerous npm packages had been quietly trojanized following the initial wave of malicious activity in September. This second iteration involved compromised versions of popular packages uploaded between November 21, 2025, and November 23, 2025, with additional compromised packages continuing to surface at the time of writing.
The malware in this wave is more sophisticated than the previous campaign, executing during the preinstall phase of npm via scripts such as setup_bun.js that drop a heavily obfuscated payload (bun_environment.js). Once executed, it scans the environment for developer secrets (including GitHub tokens, cloud credentials such as AWS, GCP, and Azure, and npm tokens) and exfiltrates them to attacker-controlled GitHub repositories, often with auto-generated names and descriptions referencing “Shai-Hulud: The Second Coming.”
The malware also acts like a worm, self-propagating by using stolen npm tokens from compromised maintainers to publish malicious versions of other packages under their accounts. If it fails to authenticate or exfiltrate secrets, it may delete the user’s home directory.
Package management ecosystems such as npm have been heavily targeted by threat actors recently and are likely to remain a prime focus for organizations that incorporate these tools into their development toolchain.
Affected Code Packages
The npm software registry is the world’s largest package repository, containing more than 800,000 code packages with millions of downloads per day. As it is widely used in development environments, organizations that use npm as part of their development workflow are recommended to review this blog article for a list of affected packages that have been identified so far.
Recommendations
Review GitHub Accounts for Malicious Repositories
In this campaign, thousands of malicious GitHub repositories were created for data exfiltration and persistence. Review your GitHub accounts for newly created git repositories that are unexpected, especially in situations where they contain filenames such as:
- cloud.json
- contents.json
- environment.json
- truffleSecrets.json
- discussion.yaml (typically located in .github/workflows/discussion.yaml)
If you are not using GitHub in your environment but do publish packages to npm registries, look for new, unsanctioned versions of packages deployed to npm registries, as these may indicate abuse of stolen npm tokens.
Identify and Remove Affected npm Packages
Hijacked npm packages that were identified by their maintainers are being removed from the npm registry to prevent further distribution. It is recommended that organizations review and remove affected versions of npm packages from their environments, especially on devices and CI/CD systems where npm is used as part of the development pipeline.
Special care should be taken in any confirmed infection scenario where npm authentication tokens are present for publication of packages to private or public npm registries, considering that this malware attempts to propagate by deploying trojanized versions of packages using those credentials.
Where feasible, prioritize purging and reinstalling npm packages on development workstations and build infrastructure that may have installed impacted versions, ensuring that only pinned, known-good versions are reintroduced. As described on the Wiz article, Clearing local npm caches as part of this process can help prevent reinstallation of trojanized artifacts.
Note: The full process of remediation in a confirmed infection scenario may involve additional steps beyond what’s articulated in this security bulletin, such as purging local npm cache.
Contact Arctic Wolf if an Infection is Suspected
If you are an Arctic Wolf customer and suspect that you have been affected by this campaign, please email security@arcticwolf.com and call one of the following numbers:
- For US support, please call +1 (888) 272-8429
- For CA support, please call +1 (800) 300-0263
- For DE support, please call +49 30 16637144
- For UK support, please call +44 800 260 6438
- For AUS support, please call +61 2 5119 8562
A list of all packages and versions known to be affected thus far are available in this blog article.
Rotate Secrets on Devices Running Trojanized npm Packages
At minimum, any device or CI/CD runner confirmed or strongly suspected to be running trojanized versions of npm packages should be quarantined until fully remediated, and any accessible secrets should be rotated or revoked and reissued.
Because threat actors in this campaign aggressively harvest and exfiltrate sensitive credentials, teams may also consider rotating these credentials across development and build environments where npm packages are regularly installed, even without a confirmed compromise but where exposure to affected packages is plausible.
Potentially affected secrets include, but are not necessarily limited to:
- AWS credentials, including access keys (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), IAM credentials, and session tokens.
- Google Cloud Platform service credentials including OAuth tokens and service account keys.
- Azure credentials including service principals and access tokens.
- Credentials stored in credential management tools such as AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault.
- npm authentication tokens (i.e., those used for automation and publication).
- API keys stored in environment variables throughout code.
- SSH keys used with Git.
- Database credentials stored in connection strings.
- GitHub personal access tokens.
- GitHub Actions secrets.
Note: At the time of this writing, TruffleHog (a credential extraction tool commonly used by threat actors) supports over 800 different types of credentials for extraction. While there is no central documentation page listing out all supported credential types, their GitHub repository has a list of detectors provided.
References
