A new surge of malicious activity hit the npm ecosystem early on November 24, marking the return of the Shai Hulud campaign. Hundreds of packages began showing the same hallmarks as the earlier outbreak, signaling that the operators behind the worm had reactivated their supply chain operation. The timing is significant, landing just ahead of npm’s December 9 cutoff for classic authentication tokens, a moment that has already shaped how attackers position themselves within developer ecosystems.
A Coordinated Return Before npm’s Token Deadline
The timing of the new attack indicates a deliberate effort to take advantage of remaining gaps in token migration. Many organizations have not yet transitioned to trusted publishing, leaving older tokens in active use. The attacker appears to have targeted this transitional period, building on the momentum of earlier incidents that began during the summer, including the S1ngularity activity in August and the first Shai Hulud wave in mid September.
The new operation mirrors the prior campaign but arrives with expanded capabilities and a clearer strategy for large scale impact.
Understanding Shai Hulud
Shai Hulud takes its name from the giant sandworms in Dune, reflecting the attacker’s preference for dramatic thematic references. Despite the theatrical branding, the threat itself is practical, automated, and purposefully constructed for supply chain exploitation. The worm spreads through npm packages, activates during installation, scans local systems for sensitive information, and transmits any recovered credentials to public GitHub repositories created by the attacker. The intention is to compromise developer environments and leverage stolen secrets to publish additional weaponized packages, creating a cycle of propagation.
What’s Changed in the Sandworm’s Second Wave?
The new version of Shai Hulud introduces several operational adjustments. The attacker now uses an installation script that deploys Bun and then uses Bun to execute the primary malicious payload. The worm also generates randomized GitHub repositories for exfiltration rather than relying on a fixed name. The scope of attempted package infection has increased significantly, rising from twenty in the first wave to as many as one hundred in the current one. In addition, a destructive fallback behavior was added that attempts to wipe the user’s home directory when authentication to GitHub or npm fails. This element increases the potential operational impact of an incomplete or partially blocked infection.
Wide Reach Across npm Packages
Netizen reviewed the list of confirmed compromised packages and found that hundreds of modules across AsyncAPI, Zapier, ENS Domains, PostHog, Postman, and several independent publishers were affected. The combined monthly download count for these packages exceeds one hundred million. This level of reach creates an elevated risk of downstream exposure for developers, CI systems, and organizations that rely on automated dependency updates.
Partial Failures in the Attacker’s Packaging Process
While the campaign was broad, analysis revealed that many compromised packages contained only the staging script and lacked the primary payload file. This appears to stem from packaging errors by the attacker. These mistakes limited the overall impact, although they did not prevent successful compromise in key ecosystems.
Evidence of Repository Intrusions
The AsyncAPI team publicly confirmed that an unauthorized branch was created in their CLI repository shortly before malicious packages were published. The attacker appears to have used a method similar to the approach observed during the earlier compromise of nx related projects. Other organizations, including PostHog and Postman, have acknowledged the incident as well.
Early Indicators and Campaign Progression
Telemetry shows the first malicious packages appeared shortly after 3 AM GMT on November 24. AsyncAPI packages were compromised first, followed by a rapid expansion into PostHog and Postman ecosystems. The quick progression suggests that the attacker relied on automated deployment infrastructure.
Implications for Organizations
Any developer or automated system that installed one of the compromised versions during the active window may have exposed sensitive credentials. Shai Hulud activates during the installation phase, meaning the system can be compromised before any dependency is fully in place. The worm searches for cloud tokens, CI authentication values, GitHub or npm credentials, and other secrets, then uploads them to public GitHub repositories labeled with the campaign’s slogan.
Stolen credentials could allow further unauthorized commits, package publication, or access to internal systems. The scale of distribution increases the likelihood that secrets belonging to multiple organizations are already exposed.
Recommended Response Actions
Netizen advises all organizations using npm to take the following steps:
- Audit all dependencies associated with the affected publishers.
- Rotate every credential used in development environments or automated build systems during the period in which the malicious versions were available.
- Search internal GitHub organizations for unfamiliar repositories containing the phrase “Sha1 Hulud. The Second Coming.”
- Disable npm postinstall scripts in CI environments where feasible.
- Lock dependency versions and enforce strong authentication protections for GitHub and npm accounts.
- Use advanced supply chain security tooling to block known malicious package versions within internal environments.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
