The Reveal Platform
Intel Name: “shai-hulud” worm compromises npm ecosystem in supply chain attack
Date of Scan: November 26, 2025
Impact: High
Summary: The team investigated a renewed npm-focused compromise known as Shai-Hulud 2.0, first revealed in early November 2025. This campaign is far larger than before, impacting tens of thousands of GitHub repositories, including over 25,000 malicious repos tied to roughly 350 unique users. Shai-Hulud 2.0 escalates software supply-chain attacks by shifting the infection point to the pre-install phase of dependencies. This allows execution without human interaction and evades static scanning tools that run later in the build process, dramatically expanding its impact. The campaign also introduces a destructive fallback mechanism capable of attempting to wipe a user’s home directory, delivered through new payloads named setup_bun.js and bun_environment.js. Stolen credentials and secrets are exfiltrated to public GitHub repositories marked with the description “Sha1-Hulud: The Second Coming.”
