Monday 06 July 2026 09:23:40 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cloud, SaaS & Identity Security

Credential Carnage: The Second Coming of Sha1-Hulud Infects npm’s Supply Chain

A new, more destructive wave of npm attacks is stealing secrets and torching data across thousands of open-source projects.

Fast Facts

  • Over 25,000 GitHub repositories compromised in days via infected npm packages.
  • Attackers use a preinstall script to steal credentials and, if thwarted, wipe victims’ files.
  • Malware leverages GitHub Actions to exfiltrate sensitive information from developer environments.
  • The campaign mimics and escalates tactics from the September 2025 Shai-Hulud attack.
  • Major security vendors warn of rapid, self-replicating spread and urge urgent mitigation.

A New Sandworm in the Open-Source Desert

Imagine a sandworm burrowing unseen beneath a vast digital desert, surfacing to devour secrets and, if cornered, leaving nothing but scorched earth. This is the chilling reality facing open-source developers as the Sha1-Hulud campaign unleashes its second, more devastating wave upon the npm ecosystem.

First detected by security firms including Wiz, HelixGuard, and Koi Security, this campaign has infected over 25,000 repositories in a matter of days. The attackers weaponized npm-JavaScript’s essential package manager-by sneaking malicious code into common packages. When developers unknowingly installed these, the malware sprang its trap, quietly stealing credentials and cloud tokens. If it couldn’t grab the loot, it lashed out: erasing every file in the victim’s home directory, a scorched-earth tactic echoing classic ransomware despair.

From Stealthy Theft to Open Sabotage

This isn’t npm’s first brush with supply chain attacks. In September 2025, the original “Shai-Hulud” campaign shocked the open-source world by hijacking trusted packages to pilfer secrets using credential scanners like TruffleHog. That first wave was bad enough-stealing sensitive information from developers and cloud environments-but the latest iteration raises the stakes. The malware now executes during the “preinstall” phase, a moment when developers are least suspicious, and uses GitHub’s automation features to siphon secrets and cover its tracks.

Reports suggest the new variant is more aggressive and resilient. If the malware fails to access GitHub or npm tokens-its golden ticket for exfiltration-it retaliates by deleting the victim’s files, making recovery nearly impossible without backups. This punitive twist marks a shift from mere theft toward destructive sabotage, a tactic more often seen in geopolitically motivated cyberwarfare than open-source squabbles.

Supply Chain Dominoes

The Sha1-Hulud attacks highlight the fragility of the open-source software supply chain. npm packages are the building blocks of millions of applications; a single compromised maintainer can infect thousands of projects downstream. Attackers exploited this trust by taking over legitimate accounts, uploading booby-trapped packages, and letting the infection spread like wildfire-at one point, 1,000 new repositories were tainted every 30 minutes.

Security vendors urge developers and organizations to scan for malicious packages, rotate all exposed credentials, and audit workflows for signs of tampering. The incident has already prompted a broader conversation about software supply chain security, echoing past crises like the SolarWinds breach and the Log4j debacle, where trusted tools became unwitting weapons.

The second coming of Sha1-Hulud is a stark warning: in the open-source world, trust is both a strength and a vulnerability. As attackers grow bolder, the line between theft and destruction blurs, reminding us that vigilance and rapid response are the only shields in a shifting digital wasteland.

WIKICROOK

  • npm: npm is a central online library where developers share, update, and manage JavaScript code packages to build software efficiently and securely.
  • Preinstall Script: A preinstall script is code that runs automatically before a package installs, often for setup tasks, but it can be misused for malicious purposes.
  • Credential Theft: Credential theft occurs when hackers steal usernames and passwords, often via phishing or data breaches, to illegally access online accounts.
  • GitHub Actions: GitHub Actions automates tasks like testing and deploying code on GitHub. While boosting productivity, it can be misused if not properly secured.
  • Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.