Perceptive Security
SOC/SIEM Consultancy
FAQ About Sha1-Hulud 2.0: The "Second Coming" of the npm Supply-Chain Campaign
Published:
24 November 2025 at 17:29:06
Alert date:
5 December 2025 at 08:03:23
Source:
tenable.com
Massive resurgence of Shai-Hulud malware targeting npm ecosystem, compromising at least 800 high-profile publisher accounts. Attackers upload trojanized versions of legitimate packages that execute via install lifecycle scripts. The malware uses a 'bring your own runtime' technique by downloading Bun JavaScript runtime to evade detection. Campaign affects tens of thousands of GitHub repositories and high-profile integrations including Zapier, ENS Domains, and Postman. More aggressive than previous iterations, attempting to destroy victim's home directory and delete user files. Executes through preinstall scripts that trigger setup_bun.js upon package installation.
Technical details
Mitigation steps:
Affected products:
npm
Node.js
Bun runtime
GitHub
CI/CD pipelines
Related links:
https://www.tenable.com/blog/faq-about-sha1-hulud-2-0-the-second-coming-of-the-npm-supply-chain-campaign
https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
https://zapier.com/
https://ens.domains/
https://www.postman.com/
https://www.tenable.com/products/nessus
https://www.tenable.com/cloud-security/products/cnapp
https://www.tenable.com/plugins/nessus/265897
https://us.app.ermetic.com/customer/Risks/Vulnerabilities?filterMap=%7B%22FixableVulnerability%22%3Atrue%2C%22VulnerabilityName%22%3A%7B%22emptyValue%22%3Afalse%2C%22type%22%3A%22include%22%2C%22values%22%3A%5B%22Shai+Hulud%22%5D%7D%7D
https://github.com/tenable/shai-hulud-second-coming-affected-packages
Related CVE's:
Related threat actors:
IOC's:
setup_bun.js, bun_environment.js
This article was created with the assistance of AI technology by Perceptive.