Shai-Hulud Worm: Crypto & Tech Ecosystems Hit in Major NPM Supply Chain Attack

The digital supply chain remains a critical vulnerability for organizations worldwide, and a recent incident serves as a stark reminder of this enduring threat. On November 24, security experts at Aikido detected a significant second wave of the self-replicating npm worm, dubbed Shai-Hulud. This sophisticated attack compromised a staggering 492 software packages, collectively boasting an immense 132 million monthly downloads. The ramifications spread across several major technology and crypto ecosystems, including prominent names like AsyncAPI, PostHog, Postman, Zapier, and ENS.

This widespread intrusion was particularly concerning given its timing, exploiting the final weeks before npm’s crucial December 9 deadline to revoke legacy authentication tokens. Aikido’s security team was alerted to the unfolding event around 3:16 AM UTC, as malicious versions of AsyncAPI’s go-template and 36 associated packages began their insidious spread across the npm registry. The attackers, displaying a flair for theatricality, branded their stolen-credential repositories with the description “Sha1-Hulud: The Second Coming,” maintaining a consistent theme from their earlier September campaign.

Understanding the Worm's Malicious Mechanism

The Shai-Hulud worm operates with a cunning and destructive methodology. During package setup, the malware surreptitiously installs the Bun runtime. Following this, it executes malicious code designed to aggressively search developer environments for any exposed secrets. To achieve this, it leverages tools like TruffleHog, a popular open-source secret-scanning solution. Once compromised, sensitive information such as API keys, GitHub tokens, and npm credentials are then published to newly created, randomly named public repositories.

But the attack doesn't stop at exfiltration. The worm actively attempts to propagate itself, pushing new, infected versions to as many as 100 additional packages. This represents a fivefold increase in scale compared to the September attack, highlighting a significant escalation in the attacker's capabilities and ambition.

Technical Evolution and a Destructive Payload

The November iteration of the Shai-Hulud worm showcases several critical modifications and advancements over its September predecessor. One key change designed to frustrate takedown efforts is the malware’s ability to create repositories with randomly generated names for the stolen data, rather than relying on hardcoded identifiers. This dynamic naming convention makes it considerably more challenging for security teams to track and dismantle the data exfiltration points.

The setup code for the worm is now more modular, installing Bun via a dedicated setup_bun.js script before executing the core malicious operations contained within bun_environment.js. This latter script holds the worm’s logic and the routines responsible for credential exfiltration. Perhaps the most alarming new feature is a highly destructive addition: if the malware fails to authenticate with GitHub or npm using the stolen credentials, it retaliates by wiping all files in the user’s home directory. This destructive payload adds a terrifying layer of risk for compromised systems.

Despite these sophisticated improvements, Aikido’s analysis did reveal some execution errors that fortunately limited the attack’s full spread. In some instances, the bundling code responsible for copying the entire worm into new packages failed to include bun_environment.js. This left only the Bun installation script on some systems, effectively neutering the malicious payload. However, even with these partial failures, the initial compromises targeted high-value entities with massive downstream exposure, ensuring significant impact.

High-Value Targets and Widespread Impact

The initial wave of compromises hit critical infrastructure within various ecosystems:

• AsyncAPI: Suffered extensive damage, with 36 compromised releases including core packages like @asyncapi/cli, @asyncapi/parser, and @asyncapi/generator.
• PostHog: Followed shortly after at 4:11 AM UTC, with infected versions of posthog-js, posthog-node, and dozens of their plugins being affected.
• Postman: Key Postman packages were compromised around 5:09 AM UTC.
• Zapier: The incident affected essential components such as @zapier/zapier-sdk, zapier-platform-cli, and zapier-platform-core.
• ENS (Ethereum Name Service): Critical ENS packages including @ensdomains/ensjs, @ensdomains/ens-contracts, and ethereum-ens were also compromised, underscoring the attack’s reach into the blockchain and crypto domain.

Beyond Tokens: Evidence of Repository-Level Access

A particularly concerning discovery during the investigation was made by the AsyncAPI team. They found a malicious branch within their CLI repository that had been created immediately before the compromised packages began appearing on npm. This branch contained a deployed version of the Shai-Hulud malware itself, strongly indicating that the attacker gained direct write access to the repository, not merely hijacking npm tokens.

This escalation in attack sophistication mirrors techniques seen in other high-profile incidents, such as the original Nx compromise, where attackers directly modified source repositories to inject malicious code into legitimate build pipelines. This means the attackers weren't just exploiting exposed credentials for npm, but potentially gained deeper control over the development lifecycle itself.

Aikido estimates that a staggering 26,300 GitHub repositories now contain stolen credentials that are marked with the “Sha1-Hulud: The Second Coming” description. These repositories hold a treasure trove of sensitive information exposed by developer environments that executed the compromised packages. This includes invaluable cloud service credentials, CI/CD tokens, and authentication keys for various third-party APIs. The public nature of these leaks dramatically amplifies the damage, as any malicious actor monitoring these repositories can harvest credentials in real time and launch subsequent, more targeted attacks.

Attack Timing and Essential Mitigation Strategies

The timing of this second wave of attacks is highly significant, coinciding directly with npm’s November 15 announcement that it would revoke classic authentication tokens on December 9. The attacker’s strategic decision to launch such a large-scale campaign just weeks before this deadline strongly suggests they understood that the window for token-based compromises was rapidly closing. Aikido’s timeline reveals the first Shai-Hulud wave began on September 16, making the November 24 “Second Coming” a calculated final opportunity for the attacker to exploit legacy tokens before npm’s migration cut off that particular avenue of access.

In response to this grave threat, Aikido has issued urgent recommendations for security teams:

• Audit Dependencies: Thoroughly audit all dependencies from affected ecosystems, particularly Zapier, ENS, AsyncAPI, PostHog, and Postman packages installed or updated after November 24.
• Rotate Secrets: Immediately rotate all GitHub, npm, cloud, and CI/CD secrets used in environments where these compromised packages were present.
• Search GitHub: Actively search GitHub for repositories containing the “Sha1-Hulud: The Second Coming” description to determine if internal credentials have been exposed.
• Disable Postinstall Scripts: Implement policies to disable npm postinstall scripts in CI pipelines. This critical step prevents future install-time execution of malicious code.
• Pin Package Versions: Pin package versions with lock files to limit exposure to newly compromised releases and ensure only validated versions are used.

The Shai-Hulud worm represents a sophisticated and evolving threat to the software supply chain. Its ability to exfiltrate credentials and even wipe systems underscores the need for continuous vigilance and proactive security measures, particularly in light of ongoing efforts to secure package registries like npm.