The second wave of the Sha1-Hulud supply chain attack, detected in November 2025, compromises hundreds of npm packages uploaded between November 21-23, impacting over 25,000 repositories across approximately 350 unique users. This campaign builds on the original Sha1-Hulud attack by introducing a new variant that executes malicious code during the npm preinstall phase, significantly increasing exposure in both build and runtime environments. The attack injects a preinstall script named "setup_bun.js" into the package.json file, which stealthily installs or locates the Bun runtime environment and runs a bundled malicious script "bun_environment.js." This payload performs multiple malicious actions: it registers the infected machine as a self-hosted GitHub runner named "SHA1HULUD," adds a malicious GitHub Actions workflow (.github/workflows/discussion.yaml) that contains an injection vulnerability, and enables the attacker to run arbitrary commands on the infected machine by exploiting GitHub discussions. The malware uses TruffleHog to scan the local environment for secrets such as NPM tokens, AWS, GCP, Azure credentials, and environment variables, which it exfiltrates via GitHub artifacts before deleting the workflow to hide its tracks. If the malware fails to authenticate or establish persistence (e.g., cannot obtain GitHub or npm tokens), it triggers a destructive payload that wipes the entire home directory of the current user, erasing all writable files. This destructive fallback marks a significant escalation from the previous wave, shifting from pure credential theft to punitive sabotage. The attack leverages compromised maintainer accounts to publish trojanized versions of legitimate npm packages, facilitating rapid propagation and widespread impact. Security vendors recommend immediate scanning of endpoints for compromised packages, removal of infected versions, credential rotation, and thorough auditing of GitHub workflows and repository branches for persistence mechanisms or suspicious files. The campaign is ongoing, with new repositories being infected every 30 minutes, indicating active exploitation and a rapidly evolving threat landscape.

For European organizations, the Sha1-Hulud attack poses a significant risk to software supply chain integrity, particularly for those heavily reliant on npm packages and GitHub Actions workflows in their development and deployment pipelines. Credential theft of NPM tokens and cloud provider secrets (AWS, GCP, Azure) can lead to unauthorized access to critical infrastructure, data breaches, and lateral movement within corporate networks. The ability to execute arbitrary commands on infected machines via self-hosted GitHub runners increases the risk of persistent compromise and further exploitation. The destructive fallback wiping user home directories can cause severe data loss, operational disruption, and recovery costs. Organizations with automated CI/CD pipelines and extensive use of open-source dependencies are especially vulnerable, as the malicious code executes during package installation, potentially affecting build servers and developer workstations alike. The rapid propagation and stealthy nature of the attack complicate detection and remediation efforts. Additionally, the exfiltration of secrets to external servers undermines confidentiality and may facilitate subsequent attacks such as ransomware or espionage. The reputational damage and regulatory implications under GDPR for failing to protect sensitive data could also be substantial for European entities.

European organizations should implement a multi-layered mitigation strategy tailored to this threat: 1) Conduct immediate and comprehensive scans of all development and build environments to identify and remove compromised npm packages, focusing on those published between November 21-23, 2025. 2) Rotate all potentially exposed credentials, including NPM tokens, cloud provider keys (AWS, GCP, Azure), and environment variables, to invalidate stolen secrets. 3) Audit all GitHub repositories for unauthorized workflows, especially checking the .github/workflows directory for suspicious files such as discussion.yaml or shai-hulud-workflow.yml, and remove any unauthorized workflows or branches. 4) Restrict and monitor the use of self-hosted GitHub runners, implementing strict access controls and logging to detect anomalous runner registrations or activity. 5) Employ runtime protection and endpoint detection and response (EDR) solutions to monitor for unusual preinstall script executions and Bun runtime activity. 6) Enforce strict package integrity verification using tools like npm audit, package signing, and dependency allowlists to prevent installation of trojanized packages. 7) Educate developers and DevOps teams on supply chain risks and encourage the use of private registries or vetted package sources. 8) Implement network segmentation and least privilege principles to limit the impact of credential theft and lateral movement. 9) Regularly back up critical data and verify backup integrity to mitigate the impact of potential destructive payloads. 10) Monitor threat intelligence feeds and vendor advisories for updates on this evolving campaign to adapt defenses promptly.