A new Shai-Hulud worm variant has infected 640+ npm packages and 25,000+ GitHub repos, spreading via preinstall scripts. If unable to harvest tokens, it wipes user data. Targets developer secrets, CI/CD pipelines, and cloud credentials.
Severity: Critical
Affected Products
-
npm packages including:
-
@asyncapi/specs (≈1.4M weekly downloads)
-
Zapier packages (zapier-platform-core, zapier-platform-cli, etc.)
-
ENS Domains libraries
-
PostHog packages
-
Postman packages
-
Browserbase packages
-
-
Ecosystem impact: ~700 confirmed compromised packages; combined monthly downloads exceed 130 million.
-
GitHub Actions workflows: Malicious workflows injected for remote command execution.
-
Cloud credentials targeted: AWS, Azure, GCP, GitHub PATs, npm tokens.
Indicators of Compromise (IoCs)
-
Presence of files:
-
setup_bun.js
-
bun_environment.js
-
-
Unexpected GitHub repositories with descriptions like “Sha1-Hulud: Second Coming”.
-
Anomalous GitHub Actions workflows or new repos under developer accounts.
-
DNS hijacking and privilege escalation attempts in CI/CD environments.
Actions:
-
Audit dependencies; pin versions before Nov 21
-
Rotate all tokens/keys immediately
-
Rebuild CI/CD agents from clean images
-
Enforce MFA
-
Monitor for IoCs and anomalous workflows
Official Advisory:
Other Sources:
