SHA1-Hulud Supply Chain Attack Affecting npm Packages

A supply chain campaign dubbed "Shai Hulud 2.0" and "Sha1 Hulud: The Second Coming" affecting hundreds of npm packages

Threat ID:: CC-4722
Threat Severity:: Medium
Published:: 26 November 2025 4:27 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A supply chain campaign dubbed "Shai Hulud 2.0" and "Sha1 Hulud: The Second Coming" affecting hundreds of npm packages

Affected platforms

The following platforms are known to be affected:

Over 800 npm packages have been reported as infected thus far, though this number is expected to grow. Researchers at Socket have been maintaining an updated list of affected packages - https://socket.dev/blog/shai-hulud-strikes-again-v2.

Threat details

Introduction

Attackers have compromised legitimate npm maintainer accounts and injected a "worm" - malicious code that can self-replicate and spread across multiple machines or networks - into pre-install scripts in their controlled npm packages.

Exploitation activity details

When one of the trojanised npm packages is downloaded and installed, the malicious script runs automatically and deploys a payload that serves multiple purposes:

Allows remote code execution via GitHub Actions
Automatic exfiltration of GitHub and npm secrets
Exfiltration of cloud credentials (Azure, AWS, GCP) to allow for broader compromise
Propagation to victim-controlled GitHub and npm repositories to allow further downstream infections

If Sha1-Hulud is unable to steal GitHub or npm credentials, obtain tokens, or secure any exfiltration channel, it defaults to major data destruction on affected devices by deleting all files in the home directory of affected Linux devices and %USERPROFILE% on Windows.

Remediation advice

The NHS England National CSOC recommends impacted developers follow the remediation steps detailed below.

Remediation steps

Type	Step
Action	Enforcing phishing-resistant multi-factor authentication (MFA) for developer accounts can help to mitigate the initial step of this supply chain attack.
Action	Uninstall known affected versions of npm packages and delete your node_modules folder.
Action	If these packages were installed in environments with access to secrets or credentials, rotate all API keys, tokens, and passwords (including GitHub, npm, AWS, GCP, and Azure tokens) immediately as the malicious code may have exfiltrated sensitive information.
Action	Pin known-good packages until patched releases are verified.
Action	Audit your repositories for persistence mechanisms by reviewing .GitHub/workflows/ for suspicious files such as discussion.yaml or unexpected branches.
Action	Rotating credentials regularly to prevent compromised credentials from impacting accounts for too long.
Action	Audit developer environments that have installed known affected versions of npm packages for unauthorised publishes or credential theft.
Action	Monitor logs for unusual npm publish or package modification events.

Definitive source of threat updates

Last edited: 26 November 2025 4:27 pm