A massive resurgence of the Sha1-Hulud supply chain malware has struck the open-source ecosystem, compromising over 800 npm packages and tens of thousands of GitHub repositories in a campaign dubbed “The Second Coming.” This attack represents one of the most significant threats to developer infrastructure in recent years.
Scope and Impact
The campaign targets high-profile dependencies from major organizations, including:
- AsyncAPI
- Postman
- PostHog
- Zapier
- ENS Domains
Researchers estimate 132 million monthly downloads are affected, putting critical development tools and CI/CD pipelines at risk.
What’s New in This Variant?
Unlike previous versions, this wave introduces:
- Bun Runtime Exploitation: The malware installs Bun via
setup_bun.jsto execute malicious payloads outside the standard Node.js path, evading static analysis. - Credential Theft + Wiper Logic: If the malware fails to exfiltrate GitHub or npm tokens, it triggers a catastrophic fallback mechanism that wipes the victim’s home directory.
- Randomized GitHub Repo Creation: Stolen secrets are stored in repos labeled “Sha1-Hulud: The Second Coming”, with over 26,300 exposed repositories identified.
Attack Chain Breakdown
- Initial Infection:
setup_bun.jsinstalls Bun and executesbun_environment.js. - Secret Harvesting: Uses TruffleHog to scan for API keys and tokens.
- Exfiltration: Creates random GitHub repositories to store stolen credentials.
- Fail-Safe Wiper: If persistence or exfiltration fails, deletes all writable files in the user’s home directory.
This destructive logic marks a shift from pure credential theft to data destruction, signaling a more aggressive threat actor strategy.
Timing and Motivation
The campaign appears timed to precede npm’s scheduled revocation of classic tokens on December 9, 2025, suggesting attackers aimed to infect as many victims as possible before stricter security measures take effect.
Affected Ecosystem Examples
| Victim Organization | Affected Packages | Impact |
|---|---|---|
| AsyncAPI | @asyncapi/cli, @asyncapi/generator | Event-driven architecture tools |
| PostHog | @posthog/cli, posthog-js | Analytics ingestion and plugins |
| Postman | @postman/tunnel-agent | API development utilities |
| Zapier | @zapier/zapier-sdk | Automation SDKs |
| ENS Domains | @ensdomains/ensjs | Ethereum Name Service integrations |
Defensive Recommendations
- Audit dependencies for indicators like
setup_bun.jsandbun_environment.js. - Rotate all credentials exposed in CI/CD environments immediately.
- Implement dependency scanning tools and lockfile integrity checks.
- Monitor for unexpected Bun runtime installations in build pipelines.
Key Takeaways
Sha1-Hulud’s resurgence highlights the fragility of the open-source supply chain and the need for proactive security measures. With destructive wiper logic now in play, organizations must treat this as a critical incident and respond swiftly.
