A new wave of the self‑propagating worm known as Sha1-Hulud has compromised 605 npm packages — including @asyncapi/specs (linked as patient-zero) — affecting packages with a combined lifetime download count of over 100 million. The malware is delivered via a package version update that adds setup_bun.js and bun_environment.js executed by a preinstall script, and includes secret‑stealing exfiltration to randomly named public GitHub repositories plus new wiper functionality. #Sha1-Hulud #npm
Keypoints
- 605 npm packages have been compromised in the second Sha1-Hulud outbreak, many of them widely used by open source and commercial applications.
- The @asyncapi/specs package (with more than 100 million lifetime downloads and ~1.4M weekly downloads) is believed to be the patient-zero package for this wave.
- Compromise occurred via a package version update that added two JavaScript files (setup_bun.js and bun_environment.js) and a preinstall script entry in package.json that triggers execution.
- The malware reuses worm‑like propagation to infect other packages maintained by the same authors, steals cloud service secrets, and exfiltrates data to randomly generated public GitHub repositories.
- The new variant “Sha1-Hulud: The Second Coming” adds wiper functionality that can delete user data folders in specific cases.
- Detection and mitigation guidance: search GitHub accounts for “Sha1-Hulud:The Second Coming”, review dependency updates from the last 12 hours, disable automated dependency upgrades without verification, and look for detection policy TH15502 in RL Spectra Assure; GitHub has also enforced stronger publishing controls (2FA, limited token lifespans, trusted publishing).
MITRE Techniques
- [T1195 ] Supply Chain Compromise – The attack uses compromised packages in the npm ecosystem to deliver the worm via malicious package updates. (‘…compromised via a package version update that was released with two new javascript files added: setup_bun.js and bun_environment.js.’)
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Malicious JavaScript files are executed during package installation via npm scripts. (‘Execution of the malicious loader in setup_bun.js is triggered through the preinstall script added to package.json file.’)
- [T1105 ] Ingress Tool Transfer – The loader retrieves or executes an obfuscated payload delivered with the package (transfer and execution of additional malicious code). (‘The loader then executes the obfuscated payload from the bun_environment.js file.’)
- [T1567.002 ] Exfiltration to Cloud Storage / Web Services – Stolen cloud service secrets and harvested data are exfiltrated to public GitHub repositories created by the malware. (‘exfiltrating them to public GitHub repositories – this time with randomly generated names.’)
- [T1485 ] Data Destruction – The variant includes wiper functionality that deletes user data folders in certain cases. (‘the worm deletes user data folders.’)
Indicators of Compromise
- [Package names ] compromised npm packages and related infected packages – @asyncapi/specs, [email protected], and 603 other compromised packages
- [File names ] malicious files added to packages – setup_bun.js, bun_environment.js (loader and obfuscated payload)
- [Package metadata / scripts ] installation scripts used to trigger execution – preinstall script entry in package.json (triggers setup_bun.js execution)
- [GitHub repositories ] exfiltration destinations created by the malware – randomly named public repositories containing stolen data; more than 27,000 such repositories identified (search term: “Sha1-Hulud:The Second Coming”)