npm Worm Shai-Hulud Strikes Again, Compromising 27,000 GitHub Repos

Shai-Hulud Returns with More Aggression

Hackers exploited the npm registry with a self-replicating worm, “Sha1-Hulud: The Second Coming,” affecting 800 packages and 27,000 GitHub repositories. The attack stole 3,760 valid secrets, including AWS IAM keys and GitHub OAuth tokens.

Why This Matters

Modern supply chain attacks exploit trusted tools like npm, which are rarely audited for post-installation malicious behavior. The shift to Bun execution during package installation highlights how attackers evade traditional Node.js monitoring. The breach cost Trigger.dev unauthorized access to its GitHub org and exposed 33,185 unique secrets, demonstrating the scale of damage from a single compromised package.

Key Insights

• “8-hour App Engine outage, 2012” – Highlighting how even short disruptions can cascade into major breaches.
• “Sagas over ACID for e-commerce” – Distributed systems must prioritize resilience over strict consistency in attack scenarios.
• “Temporal used by Stripe, Coinbase” – Workflow orchestration tools are critical for managing post-compromise remediation.

Practical Applications

• Use Case: npm package maintainers must scan dependencies for republished malicious payloads.
• Pitfall: Assuming third-party packages are secure without runtime integrity checks.

References:

• https://thehackernews.com/2025/12/weekly-recap-hot-cves-npm-worm-returns.html