A second major wave of the self‑propagating Shai‑Hulud worm—branded “Sha1‑Hulud: The Second Coming”—has compromised 605 npm packages, including high‑impact packages such as @asyncapi/specs, affecting packages with a combined download count of over 100 million. The attack used a malicious package version update that added setup_bun.js and bun_environment.js and a preinstall script in package.json to execute an obfuscated payload that steals cloud service secrets, exfiltrates them to thousands of public GitHub repositories, and in some cases includes data‑wiping functionality. #Sha1-Hulud #AsyncAPI
Keypoints
- 605 npm packages were identified as compromised in the latest Sha1‑Hulud outbreak, impacting widely used open source and commercial applications.
- @asyncapi/specs is believed to be the “patient‑zero” package for this wave and is notable for having more than 100 million lifetime downloads and ~1.4 million weekly downloads.
- The compromise occurred via a package version update that added two JavaScript files (setup_bun.js and bun_environment.js) and a preinstall script in package.json that triggers execution of an obfuscated payload.
- The malware steals cloud service secrets and exfiltrates harvested data to public GitHub repositories (thousands created with randomly generated names); RL identified over 27,000 GitHub repos created by the campaign.
- The “Second Coming” variant preserves worm‑like self‑propagation across packages maintained by the same authors and adds optional wiper functionality that can delete user data folders.
- Detection and mitigation: RL Spectra Assure detects the threat (TH15502 policy violation); recommended actions include reviewing dependency updates from the last 12 hours and disabling automated dependency upgrades without verification.
MITRE Techniques
- [None] The article does not explicitly reference MITRE ATT&CK technique IDs or names — ‘the malware copies most of the functionalities observed in the first wave, including stealing cloud service secrets and exfiltrating them to public GitHub repositories.’
Indicators of Compromise
- [File names] Malicious files added to compromised package versions – setup_bun.js, bun_environment.js
- [Package names/versions] Infected npm packages and initial compromise points – @asyncapi/specs, rxnt-authentication (version 0.0.3)
- [Repository names] Public GitHub repositories created to store exfiltrated data – randomly generated repository names used by the campaign (over 27,000 repositories), searchable by the string “Sha1-Hulud:The Second Coming”
Read more: https://www.reversinglabs.com/blog/new-shai-hulud-worm-spreads-what-to-know