Shai-Hulud Malware Supply Chain Attack on NPM Packages Targeting Zapier and ENS Domains
A new variant of the Shai-Hulud malware, dubbed "Sha1-Hulud: The Second Coming," has compromised over 70 npm packages, including those associated with Zapier and ENS Domains. The attack involves malicious code that steals developer credentials and publicly exposes them by creating thousands of GitHub repositories labeled with the campaign's name. This incident represents a significant escalation in supply chain attacks within the JavaScript ecosystem, with the malware demonstrating advanced self-propagation capabilities and surpassing the impact of previous Shai-Hulud campaigns within hours of detection.
Security researchers have urged immediate action for developers and organizations using npm packages, recommending checks for compromised package versions, auditing of GitHub accounts for unauthorized repositories, and remediation steps such as removing affected node_modules directories and clearing npm caches. The attack highlights the ongoing risks posed by supply chain threats in open-source ecosystems and the need for vigilant monitoring and rapid response to emerging malware campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
18 events from the most recent confirmed update back to the earliest known activity.
Mini Shai-Hulud wave spreads beyond TanStack and abuses valid SLSA provenance
On 2026-05-11, StepSecurity said the revived Mini Shai-Hulud campaign had compromised additional legitimate npm packages from maintainers including UiPath and DraftLab, not just TanStack. The attackers used hijacked CI/CD credentials and GitHub Actions OIDC publishing flows to release malicious packages that still carried valid SLSA Build Level 3 provenance attestations, marking a broader supply-chain escalation.
Mini Shai-Hulud hits official @tanstack/* npm packages
On 2026-05-11, ten malicious versions of official @tanstack/* packages were published within minutes in a live npm supply-chain attack linked by StepSecurity to the self-propagating Shai-Hulud worm. The trojanized TanStack Router-related packages carried a large obfuscated payload to steal GitHub tokens, npm tokens, and CI/CD secrets, and maintainers were notified as the incident unfolded.
Mini Shai-Hulud expands to new npm and PyPI packages
Later updates to the Mini Shai-Hulud investigation identified additional trojanized packages, including intercom-client@7.0.5 on npm and lightning@2.6.2 and 2.6.3 on PyPI. The newly observed payloads broadened credential theft in Kubernetes and HashiCorp Vault environments and used GitHub commit-based fallback discovery with keywords such as "beautifulcastle."
intercom-client@7.0.4 hijacked in Shai-Hulud multi-cloud expansion
StepSecurity reported that the official npm package intercom-client@7.0.4 was maliciously published on 2026-04-30 through a hijacked GitHub Actions OIDC publishing pipeline. The tainted release added a preinstall-stage payload that expanded the campaign beyond GitHub and npm token theft to harvesting AWS, GCP, Azure, private key, and other API secrets.
Maintainers publish clean versions of compromised SAP-related npm packages
Following disclosure of the 'Mini Shai-Hulud' supply-chain attack, maintainers released clean replacement versions for affected SAP-related npm packages including mbt and several @cap-js packages. The action was intended to remove the malicious preinstall payload and restore safe package distribution.
SAP-related npm packages compromised in 'Mini Shai-Hulud' campaign
StepSecurity disclosed a coordinated npm supply-chain attack affecting SAP development ecosystem packages including mbt v1.2.48, @cap-js/sqlite v2.2.2, @cap-js/postgres, and @cap-js/db-service. The campaign reused Shai-Hulud-style credential theft and GitHub repo creation but added a new evasion technique by downloading the Bun runtime and executing a heavily obfuscated payload during installation.
Researchers quantify massive secret exposure and ongoing token risk
By early December, analysis estimated the second wave had infected more than 800 packages, exposed roughly 400,000 raw secrets, and published them across about 30,000 GitHub repositories. Researchers also warned that many leaked npm tokens were still valid as of December 1, creating continued risk of further supply-chain abuse.
StepSecurity details real-time detection in Backstage CI pipeline
StepSecurity reported that in late November its Harden Runner detected Shai-Hulud activity in CNCF Backstage workflows by flagging anomalous connections to bun.sh and TruffleHog infrastructure. The case showed the malware attempting to download tooling and register a self-hosted GitHub Actions runner for persistence.
PostHog publishes postmortem and remediation actions
PostHog later disclosed that the incident was its biggest security event and traced the initial compromise to a CI/CD workflow misconfiguration that exposed a high-privilege GitHub token. The company said it revoked compromised tokens, removed malicious versions, issued clean releases, and began hardening its publishing and workflow controls.
Attack expands beyond npm into Maven ecosystem
By November 26, reporting said the Shai-Hulud v2 campaign had spread from npm to Maven, with at least one Maven Central package compromised. This represented a cross-ecosystem escalation beyond the original npm-focused outbreak.
PostHog and Postman publicly acknowledge impact
The campaign reporting noted public acknowledgements from affected organizations including PostHog and Postman. Their statements confirmed that prominent package ecosystems had been caught up in the second-wave compromise.
GitHub begins deleting compromised exfiltration repositories
As the worm rapidly created public repositories under victims' GitHub accounts to leak secrets, GitHub started removing compromised repositories. Reports noted cleanup was difficult because new exposed repositories were appearing at a very high rate.
Researchers publicly report Shai-Hulud 2.0 outbreak
On November 24, 2025, multiple security firms and news outlets disclosed an active second-wave npm supply-chain attack dubbed Shai-Hulud 2.0. Early reporting described a self-replicating worm stealing secrets, publishing them to public GitHub repositories, and spreading through trojanized npm packages.
First observed second-wave package compromises appear
Aikido reported the first observed compromised packages on November 24 included go-template and multiple AsyncAPI packages, followed shortly by PostHog and Postman packages. This marked the visible breakout of the renewed campaign across prominent projects.
Compromised npm package versions are uploaded
Arctic Wolf and other reports said malicious package versions were uploaded between November 21 and November 23, 2025. These trojanized releases seeded the second-wave infection across the npm ecosystem.
Second-wave Shai-Hulud 2.0 campaign becomes active
Researchers said the new Shai-Hulud 2.0 variant had been active since at least November 21, 2025. This wave introduced a more aggressive preinstall-stage infection chain and automated propagation through compromised maintainer accounts.
Earlier Shai-Hulud wave hits npm ecosystem
Multiple references describe the November campaign as a second wave following an earlier Shai-Hulud incident in September 2025. That first wave established the malware family and its npm-focused supply-chain behavior before the later escalation.
Initial Shai-Hulud activity begins with targeted phishing
Trend Micro reported the broader Shai-Hulud campaign was first observed in a targeted phishing attack that marked the start of the malware activity later linked to the npm worm. This earlier activity set the stage for the later second-wave supply-chain compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
41 references tracked. Mallory keeps watching after this page renders.
Several npm latest releases were compromised · Issue #7383 · TanStack/router
github.com
Open sourceLightning Python Package Infected in Shai-Hulud Attack
ox.security
Open sourceSAP npm package attack highlights risks in developer tools and CI/CD pipelines | InfoWorld
infoworld.com
Open sourceShai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked - 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope - StepSecurity
stepsecurity.io
Open sourceShai-Hulud malware infects 500 npm packages, leaks secrets on GitHub
bleepingcomputer.com
Open sourceSecond Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft
thehackernews.com
Open sourceShai Hulud Strikes Again (v2)
socket.dev
Open sourceSha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised - StepSecurity
stepsecurity.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Shai-Hulud Worm and Related Malicious NPM Package Attacks Targeting Software Supply Chains
A large-scale supply chain attack has targeted the Node Package Manager (NPM) ecosystem, compromising hundreds of widely used JavaScript packages and threatening the security of software development pipelines globally. In mid-September, cybersecurity researchers identified a self-propagating malware dubbed "Shai-Hulud," which was distributed through trojanized NPM packages, including some with millions of weekly downloads and high-profile packages such as those from CrowdStrike. The attack leveraged a malicious "bundle.js" script that downloaded and executed TruffleHog, a legitimate credential scanner, to harvest developer and CI/CD tokens, cloud service credentials, and environment variables from compromised systems. The stolen credentials were exfiltrated via hard-coded webhooks and GitHub Actions workflows, enabling the attacker to further propagate the malware and gain unauthorized access to sensitive resources. The campaign affected both Windows and Linux systems, increasing its reach and impact across diverse development environments. Sysdig reported that the attack on September 15 involved approximately 200 compromised packages, including @ctrl/tinycolor, and was linked to an attacker who had previously targeted Nx packages in late August. The worm not only stole secrets but also published them publicly on GitHub and attempted to make victim repositories public, amplifying the risk of further compromise. Earlier in the month, other popular packages such as chalk, debug, and duck were also compromised following a successful spear phishing attack against a maintainer, with the attacker seeking to redirect cryptocurrency payments. NPM responded by removing the malicious package versions, but users were required to update or revert to secure versions to mitigate the risk. Sysdig provided same-day threat intelligence and detection capabilities to its customers, including open source Falco rules to identify and respond to the threat. The attack demonstrated the vulnerability of even the most trusted and widely used open source packages, highlighting the importance of continuous monitoring and rapid response in the software supply chain. Security researchers and vendors emphasized the need for organizations to scan their environments for known malicious packages, such as dist.fezbox.cjs, and to review logs for signs of credential exfiltration. The incident underscored the evolving tactics of threat actors targeting developer ecosystems, using advanced techniques to automate propagation and maximize impact. Organizations relying on NPM packages and CI/CD pipelines were urged to remain vigilant, update dependencies promptly, and leverage threat intelligence resources to defend against similar attacks. The Shai-Hulud campaign remains an evolving threat, with ongoing analysis and mitigation efforts by the security community. This incident serves as a stark reminder that popularity and trust in open source packages do not guarantee safety, and proactive security measures are essential to protect software supply chains from compromise.
Mar 21, 2026
Shai-Hulud 2.0 npm Supply Chain Attack Compromises Trust Wallet and Cloud Credentials
A sophisticated supply chain attack, dubbed Shai-Hulud 2.0, targeted the npm JavaScript ecosystem by compromising maintainer accounts of widely used packages. Attackers injected malicious scripts into the preinstall phase of these packages, enabling the theft of credentials from developer environments, CI/CD pipelines, and cloud-connected workloads. The campaign led to the compromise of over 25,000 GitHub repositories and the exposure of hundreds of cloud credentials, affecting major organizations such as Zapier, PostHog, Postman, and Trust Wallet. Blockchain forensics confirmed that secrets stolen in this campaign were used to drain digital wallets, resulting in a confirmed $8.5 million theft from Trust Wallet. The attack's automation and worm-like propagation highlighted the urgent need for improved supply chain security and credential hygiene in cloud-native environments. Security researchers have identified new variants of the Shai-Hulud malware, indicating ongoing development and testing by threat actors. The campaign's technical sophistication included phishing tactics to capture npm maintainer credentials and modifications to payloads for improved evasion and error handling. While the most significant financial impact was observed in the Trust Wallet breach, the broader campaign demonstrated the potential for widespread compromise across the open-source software supply chain. Multiple security vendors have independently verified the attack chain, emphasizing the critical risks posed by supply chain attacks in modern software development.
Mar 21, 2026
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026