Sha1-Hulud Malware Resurgence: Over 800 npm Packages and Thousands of GitHub Repositories Compromised
A significant resurgence of the Sha1-Hulud malware has recently impacted the open-source software community, compromising more than 800 npm packages and tens of thousands of GitHub repositories. This latest campaign, referred to by attackers as The Second Coming, has targeted prominent dependencies from organizations such as AsyncAPI, Postman, PostHog, Zapier, and ENS, collectively affecting approximately 132 million monthly downloads.
Evolution of the Attack
The Sha1-Hulud malware has evolved to employ the Bun runtime environment, a strategy that helps it evade traditional detection mechanisms. Notably, this variant introduces a destructive fallback mechanism capable of wiping victim data if certain conditions are not met.
The attack sequence begins with a file named `setup_bun.js`, which installs the Bun runtime to execute the primary malicious payload contained in `bun_environment.js`. This approach allows the malware to operate outside the standard Node.js execution path, often bypassing static analysis tools.
Once activated, the worm utilizes TruffleHog to scan the infected environment for API keys and tokens. Unlike previous versions that used hardcoded repository names, this iteration creates randomly named GitHub repositories to store stolen secrets. These repositories are identified by the description Sha1-Hulud: The Second Coming, with security researchers currently identifying approximately 26,300 exposed repositories.
Destructive Capabilities
A particularly alarming development in this variant is its aggressive volatility. While the primary goal remains credential theft, the malware includes a destructive fail-safe that triggers if it cannot establish persistence or exfiltrate data. If the malware fails to authenticate to GitHub, create a repository, fetch a GitHub token, or locate an npm token, it executes a wiper routine.
This routine attempts to destroy the victim’s entire home directory by deleting every writable file owned by the current user. This shift indicates that if Sha1-Hulud cannot steal credentials or secure an exfiltration channel, it defaults to catastrophic data destruction to eliminate evidence or cause disruption.
Targeted Organizations and Impact
The timing of this campaign appears calculated to precede npm’s scheduled revocation of classic tokens on December 9, 2025. The compromise has affected critical infrastructure software, including significant portions of the AsyncAPI and Postman ecosystems.
Security teams are advised to immediately audit dependencies for the specific file indicators and rotate all credentials exposed in CI/CD environments.
Mitigation Strategies
To protect against such sophisticated supply chain attacks, organizations should implement the following measures:
– Lock Dependency Versions: Pin to specific package versions and avoid wide semantic versioning ranges to prevent automatic inclusion of compromised updates.
– Rotate Secrets: Revoke and regenerate any exposed API tokens, SSH keys, and environment variables to mitigate the risk of unauthorized access.
– Audit Dependencies: Regularly run commands like `npm ls –prod –depth=0` to review direct dependencies and cross-check them against known advisories.
– Integrate Security Tools: Incorporate tools such as `npm audit`, Snyk, or OWASP Dependency-Check into CI pipelines to flag anomalous version releases.
– Validate Package Integrity: Use commands like `npm ci –prefer-offline –hash-checksums` to verify package integrity against known good SHA-256 hashes.
– Employ Runtime Monitoring: Utilize monitoring tools (e.g., Sysmon on Windows, auditd on Linux) to detect unexpected network calls or the use of `eval()` functions.
Conclusion
The resurgence of the Sha1-Hulud malware underscores the critical importance of securing the software supply chain. As open-source ecosystems remain prime targets, rigorous validation and continuous monitoring are essential to safeguard against such sophisticated attacks.
