Perceptive Security
SOC/SIEM Consultancy
GitLab discovers widespread npm supply chain attack
Published:
24 november 2025 om 00:00:00
Alert date:
5 december 2025 om 08:03:23
Source:
gitlab.com
GitLab discovered a widespread npm supply chain attack involving an evolved version of the Shai-Hulud malware. The malware harvests credentials from GitHub, npm, AWS, GCP, and Azure, then propagates by automatically infecting other packages owned by victims. Most critically, it contains a 'dead man's switch' mechanism that destroys user data if its propagation channels are severed. The attack uses stolen tokens to create GitHub repositories as data exfiltration points and spreads through npm packages via malicious preinstall scripts. The worm-like propagation creates a resilient botnet-like network where compromised systems share access tokens.
Technical details
Mitigation steps:
Affected products:
npm
GitHub
AWS
GCP
Azure
GitLab
Related links:
https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/
https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/#enabling-the-analyzer
https://docs.gitlab.com/user/gitlab_duo_chat/agentic_chat/
https://docs.gitlab.com/user/duo_agent_platform/agents/foundational_agents/security_analyst_agent/
Related CVE's:
Related threat actors:
IOC's:
bun_environment.js, .truffler-cache/, .truffler-cache/extract/, .truffler-cache/trufflehog, .truffler-cache/trufflehog.exe, del /F /Q /S "%USERPROFILE%*", shred -uvz -n 1, cipher /W:%USERPROFILE%, curl -fsSL https://bun.sh/install | bash, powershell -c "irm bun.sh/install.ps1|iex", Sha1-Hulud: The Second Coming., setup_bun.js
This article was created with the assistance of AI technology by Perceptive.