Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to know

Dune Shai-Hulud concept image showing man standing on rock with giant sandworm breaching out of the sand. — (Image credit: Getty Images)

The Shai-Hulud worm is back and once again infecting npm packages – and the scale of the attack is even greater than a September 2025 campaign which affected 180 repositories before containment.

Attackers involved in the campaign have been exploiting compromised package maintainer accounts to publish trojanized versions of legitimate npm packages that appear to originate from the official source.

Once downloaded, the malware scans for credentials and CI/CD secrets, which are then published to the user's own repositories. It also inserts the malicious payload into all of the users’ available npm packages, spreading the infection.

This time round, the malware has affected more than 19,000 GitHub repositories and compromised around 700 npm packages, including core libraries from Zapier and the Ethereum Name Service (ENS) ecosystem, along with PostHog and Postman.

New Shai-Hulud campaign shakes up tactics

This campaign adds a couple of new features, according to researchers, including execution using install lifecycle scripts and new payload files setup_bun.js and bun_environment.js.

Meanwhile, if the malware fails to authenticate or establish persistence, it attempts to destroy the victim’s entire home directory, deleting every writable file owned by the current user under their home folder.

Wiz said it's observed multiple environments where the affected packages were downloaded before their removal from npm, suggesting active exposure.

While GitHub is currently removing attacker-created repositories associated with this campaign, the threat actors continue to create new repositories as part of their ongoing activities.

Garrett Calpouzos, principal security researcher at Sonatype, said a peculiar aspect of the campaign is that it appears to be confusing AI analysis tools, largely due to the size and structure of the file.

“It’s so large that it exceeds a normal context window and the models can’t keep track of everything they're reading," he noted.

"I’ve asked both ChatGPT and Gemini to analyze it and I get different answers each time. Looking at their reasoning, they’re searching for obvious malware patterns – like calls to suspicious domains – and not finding any, so they incorrectly conclude it’s just a legitimate session or token management library."

What developers need to know

Developers should cross-reference all installed packages against the compromised list, said Aikido, and uninstall any compromised package versions immediately.

Enterprises are also advised to check GitHub accounts for unauthorized repos with "Shai Hulud: The Second Coming" in the description.

Credential rotation is another key tactic here for defenders, according to Wiz, with devs advised to check GitHub, npm, cloud, and CI/CD secrets used on any machine that installed these packages.

Elsewhere, enterprises should disable npm postinstall scripts in CI environments, enforce MFA on all GitHub and npm accounts, and stop auto-updates until verified clean.

"The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply chain attacks," commented Charlie Eriksen, a malware researcher at Aikido.

"With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline."

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.