sha1-hulud-npm-packages

Incident Summary

Sha1-Hulud Second Coming broad npm package compromise

Sha1-Hulud "Second Coming" was a broad npm worm wave that compromised hundreds of packages beyond the separately tracked Zapier and ENS ecosystems, including major scoped groups such as @asyncapi, @posthog, @postman, @voiceflow, and @browserbasehq. The malicious releases invoked Bun from preinstall hooks, harvested GitHub, npm, cloud, local, and TruffleHog-discovered secrets, exfiltrated through public GitHub repos labeled "Sha1-Hulud: The Second Coming", attempted npm self-propagation, installed a self-hosted GitHub Actions runner, and could shred writable home files on non-CI Linux hosts. StepSecurity reported more than 21,000 public exfiltration repositories early in the incident.

Date: 2025-11-23 to 2025-11-24
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package sha1-hulud-npm-packages

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Compromised Versions

Incident Context

Motive: Credential Theft/Self-Propagation
Transitive: No
User Impact: 21000
Observed Duration: 1 days

Evidence

Compromised Artifacts

External References

stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised

Source Data

Source record: oss/sha1-hulud-npm-packages/meta.yaml