Sha1-Hulud worm spread across npm packages
Sha1-Hulud "Second Coming" was a broad npm worm wave that compromised hundreds of packages beyond the separately tracked Zapier and ENS ecosystems, including major scoped groups such as @asyncapi, @posthog, @postman, @voiceflow, and @browserbasehq.
Story
Sha1-Hulud "The Second Coming" was a broad npm worm wave discovered on November 24, 2025. It followed the September Shai-Hulud pattern but moved faster, crossed more package scopes, and produced more public evidence of stolen credentials.
The package list quickly outgrew any single vendor story. StepSecurity tracked hundreds of affected npm packages, including major scoped groups such as @asyncapi, @posthog, @postman, @voiceflow, @accordproject, @browserbasehq, @actbase, @oku-ui, and @mcp-use. Zapier and ENS are modeled separately because their package boundaries and response evidence are cleaner.
The payload installed Bun, harvested local and CI secrets, and wrote stolen material into GitHub repositories created under compromised accounts. StepSecurity reported more than 21,000 public repositories within five hours, using the description Sha1-Hulud: The Second Coming.
Persistence was explicit. The malware registered a self-hosted GitHub Actions runner named SHA1HULUD under $HOME/.dev-env, then used GitHub discussion workflow injection to keep execution available after the first package install.
The destructive path mattered too. On non-CI Linux hosts, the payload could shred writable files under the user's home directory. That turned an install-time credential theft into a local data-loss event for some machines.
This campaign record carries the broad worm mechanics and moving aggregate. Leaf records remain package-scoped where the affected ecosystem published official advisories or where package lists are compact enough for practical inventory work.
Linked Attacks
2025
The Sha1-Hulud "Second Coming" npm worm compromised Zapier packages across the @zapier scope and unscoped zapier-platform packages.
Campaign Context
- Cause
- Unknown
- User Impact
- 21000
Affected Packages
- @ensdomains/address-encoder 1.1.5
- @ensdomains/blacklist 1.0.1
- @ensdomains/buffer 0.1.2
- @ensdomains/ccip-read-cf-worker 0.0.4
- @ensdomains/ccip-read-dns-gateway 0.1.1
- @ensdomains/ccip-read-router 0.0.7
- @ensdomains/ccip-read-worker-viem 0.0.4
- @ensdomains/content-hash 3.0.1
- @ensdomains/curvearithmetics 1.0.1
- @ensdomains/cypress-metamask 1.2.1
- @ensdomains/dnsprovejs 0.5.3
- @ensdomains/dnssec-oracle-anchors 0.0.2
- @ensdomains/dnssecoraclejs 0.2.9
- @ensdomains/durin 0.1.2
- @ensdomains/durin-middleware 0.0.2
- @ensdomains/ens-archived-contracts 0.0.3
- @ensdomains/ens-avatar 1.0.4
- @ensdomains/ens-contracts 1.6.1
- @ensdomains/ens-test-env 1.0.2
- @ensdomains/ens-validation 0.1.1
- @ensdomains/ensjs 4.0.3
- @ensdomains/ensjs-react 0.0.5
- @ensdomains/eth-ens-namehash 2.0.16
- @ensdomains/hackathon-registrar 1.0.5
- @ensdomains/hardhat-chai-matche... 0.1.15
- @ensdomains/hardhat-toolbox-vie... 0.0.6
- @ensdomains/mock 2.1.52
- @ensdomains/name-wrapper 1.0.1
- @ensdomains/offchain-resolver-c... 0.2.2
- @ensdomains/op-resolver-contracts 0.0.2
- @ensdomains/react-ens-address 0.0.32
- @ensdomains/renewal 0.0.13
- @ensdomains/renewal-widget 0.1.10
- @ensdomains/reverse-records 1.0.1
- @ensdomains/server-analytics 0.0.2
- @ensdomains/solsha1 0.0.4
- @ensdomains/subdomain-registrar 0.2.4
- @ensdomains/test-utils 1.3.1
- @ensdomains/thorin 0.6.51
- @ensdomains/ui 3.4.6
- @ensdomains/unicode-confusables 0.1.1
- @ensdomains/unruggable-gateways 0.0.3
- @ensdomains/vite-plugin-i18next... 4.0.4
- @ensdomains/web3modal 1.10.2
- ethereum-ens 0.8.1
- @zapier/ai-actions 0.1.18, 0.1.19, 0.1.20
- @zapier/ai-actions-react 0.1.12, 0.1.13, 0.1.14
- @zapier/babel-preset-zapier 6.4.1, 6.4.2, 6.4.3
- @zapier/browserslist-config-zapier 1.0.3, 1.0.4, 1.0.5
- @zapier/eslint-plugin-zapier 11.0.3, 11.0.4, 11.0.5
- @zapier/mcp-integration 3.0.1, 3.0.2, 3.0.3
- @zapier/secret-scrubber 1.1.3, 1.1.4, 1.1.5
- @zapier/spectral-api-ruleset 1.9.1, 1.9.2, 1.9.3
- @zapier/stubtree 0.1.2, 0.1.3, 0.1.4
- @zapier/zapier-sdk 0.15.5, 0.15.6, 0.15.7
- zapier-async-storage 1.0.1, 1.0.2, 1.0.3
- redux-router-kit 1.2.2, 1.2.3, 1.2.4
- zapier-platform-cli 18.0.2, 18.0.3, 18.0.4
- zapier-platform-core 18.0.2, 18.0.3, 18.0.4
- zapier-platform-legacy-scriptin... 4.0.2, 4.0.3, 4.0.4
- zapier-platform-schema 18.0.2, 18.0.3, 18.0.4
- zapier-scripts 7.8.3, 7.8.4
Notes
- Legacy artifact note: 700+ npm package rows in StepSecurity affected-package list
- Legacy artifact note: @asyncapi/* packages
- Legacy artifact note: @posthog/* packages
- Legacy artifact note: @postman/* packages
- Legacy artifact note: @voiceflow/* packages
- Legacy artifact note: @accordproject/* packages
- Legacy artifact note: @browserbasehq/* packages
- Legacy artifact note: @actbase/* packages
- Legacy artifact note: @oku-ui/* packages
- Legacy artifact note: @mcp-use/* packages
External References
- Sha1-Hulud the Second Comingstepsecurity.io
- Sha1-Hulud the Second Coming Affected Package Liststepsecurity-public-media.s3.us-west-2.amazonaws.com
Source record: oss/campaigns/sha1-hulud-npm-packages/meta.yaml