Wiz
Blog

Shai-Hulud 2.0: Ongoing Supply Chain Attack

Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign impacting Zapier, ENS Domains, and others.

Hila Ramati, Merav Bar, Gal Benmocha, Gili Tikochinski

A new npm supply-chain campaign referencing the Shai-Hulud malware has compromised multiple popular packages, including those from Zapier, ENS Domains, PostHog, and Postman.
The campaign introduces a new variant that executes malicious code during the preinstall phase, significantly increasing potential exposure in build and runtime environments.

Wiz Research spotted over 25,000 affected repositories across ~350 unique users, 1,000 new repositories are being added consistently every 30 minutes in the last couple of hours. In addition, Wiz has identified newly compromised packages that contain files linked to this activity.

Immediate investigation and remediation are strongly recommended for any npm-based environments.

What is this campaign?

This campaign continues the trend of npm supply-chain compromises referencing Shai-Hulud naming and tradecraft, though it may involve different actors. The threat leverages compromised maintainer accounts to publish trojanized versions of legitimate npm packages that execute credential theft and exfiltration code during installation.

Unlike the earlier variant, this wave introduces:

  • Execution using install lifecycle scripts.

  • New payload files - setup_bun.js and bun_environment.js.

Expanded targeting across the PostHog, Postman, and AsyncAPI ecosystems.

Wiz Threat Research is currently in the process of analyzing the malicious payload, and found that the attacker is adding a runner with a vulnerability - the flaw runs 'echo' on the text in discussion, allowing the attacker to run code by adding shell to the discussion body.

What sort of exploitation has been identified in the wild?

Wiz Threat Research and Aikido have confirmed that the trojanized npm packages were uploaded to npm between November 21-23, 2025. Once installed, the malware exfiltrates developer and CI/CD secrets to GitHub repositories with names referencing Shai-Hulud.

This variant executes only during the preinstall phase. The malware creates the following files: cloud.json, contents.json, environment.json, and truffleSecrets.json. It also attempts to create a discussion.yaml file inside the GitHub workflow.

The campaign’s behavior closely resembles the previous Shai-Hulud worm but may involve different threat actors, given differences in payload structure and propagation logic. No attribution has been confirmed at this time. Wiz has observed multiple environments where these packages were downloaded before their removal from npm, suggesting active exposure.

GitHub is currently removing attacker-created repositories associated with this campaign; however, the attacker continues to create new repositories as part of the ongoing activity.

Which products and packages are affected?

The following npm packages (and versions) have been confirmed compromised:

Zapier Packages

  • @zapier/zapier-sdk - 0.15.5, 0.15.6, 0.15.7

  • zapier-platform-core - 18.0.2, 18.0.3, 18.0.4

  • zapier-platform-cli - 18.0.2, 18.0.3, 18.0.4

  • zapier-platform-schema - 18.0.2, 18.0.3, 18.0.4

  • @zapier/mcp-integration - 3.0.1, 3.0.2, 3.0.3

  • @zapier/secret-scrubber - 1.1.3, 1.1.4, 1.1.5

  • @zapier/ai-actions-react - 0.1.12, 0.1.13, 0.1.14

  • @zapier/stubtree - 0.1.2, 0.1.3, 0.1.4

  • zapier-scripts - 7.8.3, 7.8.4

ENS Domains Packages

  • @ensdomains/ens-validation - 0.1.1

  • @ensdomains/content-hash - 3.0.1

  • ethereum-ens - 0.8.1

  • @ensdomains/react-ens-address - 0.0.32

  • @ensdomains/ens-contracts - 1.6.1

  • @ensdomains/ensjs - 4.0.3

  • @ensdomains/dnssecoraclejs - 0.2.9

  • @ensdomains/address-encoder - 0.1.5

Other Impacted Publishers

  • @posthog/agent - 1.24.1

  • Numerous packages under @trigo/*, @orbitgtbelgium/*, and @louisle2/*

Additional ecosystem packages including:
typeorm-orbit, orbit-nebula-draw-tools, atrix-mongoose, orbit-boxicons, orbit-soap, redux-forge, and more.

TTPs & IOCs

TacticIndicator / Tool / Artifact
TA0001 – Initial Accessnpm package versions listed above
TA0002 – Executionpre-install script in package.json
TA0003 – PersistenceGitHub Actions workflow shai-hulud-workflow.yml
TA0007 – DiscoveryAccess to /metadata/ endpoints in AWS/GCP/Azure
TA0010 – ExfiltrationOutbound connections to webhook[.]site
TA0010 – ExfiltrationCreation of GitHub repos titled Shai-Hulud
TA0009 – Collectiondata.json files containing encoded secrets

Which actions should security teams take?

Remove and replace compromised packages

  • Clear npm cache:

npm cache clean --force
rm -rf node_modules

  • Pin dependencies to known clean versions or roll back to pre-November 21, 2025 builds.

Rotate all credentials

  • Revoke and regenerate npm tokens, GitHub PATs, SSH keys, and cloud provider credentials.

  • Enforce phishing-resistant MFA for developer and CI/CD accounts.

Audit GitHub and CI/CD environments

  • Search for newly created repositories with "Shai-Hulud" in the description.

  • Review for unauthorized workflows or suspicious commits referencing hulud.

  • Monitor for new npm publishes under your organization.

Harden pipelines

  • Restrict or disable lifecycle scripts (postinstall, preinstall) in CI/CD.

  • Limit outbound network access from build systems to trusted domains only.

  • Use short-lived, scoped automation tokens.

How Wiz Can Help

Wiz customers can use the pre-built query in the Wiz Threat Center to detect environments containing the affected npm packages.

Appendix

PackageVersion
@zapier/zapier-sdk0.15.5, 0.15.6, 0.15.7
zapier-platform-core18.0.2, 18.0.3, 18.0.4
zapier-platform-cli18.0.2, 18.0.3, 18.0.4
zapier-platform-schema18.0.2, 18.0.3, 18.0.4
@zapier/mcp-integration3.0.1, 3.0.2, 3.0.3
@zapier/secret-scrubber1.1.3, 1.1.4, 1.1.5
@zapier/ai-actions-react0.1.12, 0.1.13, 0.1.14
@zapier/stubtree0.1.2, 0.1.3, 0.1.4
zapier-scripts7.8.3, 7.8.4
@ensdomains/ens-validation0.1.1
@ensdomains/content-hash3.0.1
ethereum-ens0.8.1
@ensdomains/react-ens-address0.0.32
@ensdomains/ens-contracts1.6.1
@ensdomains/ensjs4.0.3
@ensdomains/dnssecoraclejs0.2.9
@ensdomains/address-encoder0.1.5
@posthog/agent1.24.1
@trigo/*Numerous packages (various versions)
@orbitgtbelgium/*Numerous packages (various versions)
@louisle2/*Numerous packages (various versions)
Additional ecosystem packagestypeorm-orbit, orbit-nebula-draw-tools, atrix-mongoose, orbit-boxicons, orbit-soap, redux-forge, etc.

References

Tags
#Research#Security#Threat Intel

Continue reading

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo