Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

A new supply chain attack named Sha1-Hulud has compromised over 25,000 GitHub repositories by injecting malicious npm packages. The attack exploits preinstall scripts to steal cloud credentials and, in some cases, wipe developer home directories.

Why This Matters

The attack highlights the fragility of npm’s trust model, where malicious actors compromise legitimate packages to execute code during installation. Unlike idealized secure systems, real-world supply chains are vulnerable to tampering, with this campaign leveraging preinstall hooks to bypass traditional security checks. Wiz reports 25,000+ repositories affected, with 1,000 new infections every 30 minutes, escalating risks for cloud infrastructure.

Key Insights

• “25,000+ repositories compromised, 2025”: Wiz researchers identified 350 unique users impacted.
• “Preinstall scripts for credential theft”: Attackers added setup_bun.js to package.json to run bun_environment.js, stealing secrets via TruffleHog.
• “Docker-based root access attempts”: Malware uses Docker to mount host filesystems and gain passwordless root access.

Practical Applications

• Use Case: npm package maintainers must audit preinstall scripts for unauthorized modifications.
• Pitfall: Failing to rotate credentials after a breach can lead to prolonged exfiltration or destructive payloads.

References:

• https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html