Shai-Hulud’s Second Coming: NPM Malware Attack Evolved - Checkmarx
← Zero Blog

Shai-Hulud’s Second Coming: NPM Malware Attack Evolved

A newly-evolved Shai-Hulud variant hits NPM; and this time it’s out for blood. Faster, stealthier execution and a “punishment” if it can’t successfully steal a users’ credentials.

Darren Meyer
Darren Meyer

Security Research Advocate

calendar icon November 24, 2025
reading time icon 6 min. read

Early on 24. November 2025, news broke that a new round of attack against NPM using an evolved form of the self-propagating Shai-Hulud malware was launched. Dubbed “Second Coming”, this evolution is designed to be harder to automatically detect, faster to replicate, and to cause damage when it can’t access credentials.

Update 2025-12-02: With no new infections detected for over 24 hours, Checkmarx Zero is considering this infection contained at the moment. Organizations without indicators of malicious activity in their environment should return to normal operation, and continue to monitor.

  • Created GitHub repositories now have randomized names, making automatic detection harder
  • Payload deployment and execution is now two-stage: file `setup_bun.js` run, which creates and executes `bun_environment.js` containing the core payload
  • Infection limit is now 100 npm packages per execution, which makes propagation faster when users with credentialed access to large numbers of packages (such as build system automations) are compromised
  • A failure to authenticate to GitHub or NPM with acquired credentials triggers a wipe of the infected user’s HOME directory, causing damage that significantly slows development efforts and causes build failures in CI/CD

Checkmarx is adding affected packages rapidly to our Malicious Package Database. As a community service, we will periodically update this GitHub Gist with affected versions we’ve identified. Note that this list will not be as up-to-date as our malicious package database.

Other defensive actions to take

We also recommend taking defensive actions until the infection is under control. Consider:

  1. If using a proxy like Artifactory, temporarily blocking it from accessing new releases on the NPM public repository until the infection is under control will significantly mitigate your risk
  2. Though it is disruptive to development workflows, blocking network access to the public NPM repository from developer and CI/CD environments until the infection is under control
  3. Configuring endpoint security software so that it blocks processes that create or load files named `setup_bun.js` or `bun_environment.js`, or javascript engines (such as node) attempting to delete files under HOME directories
  4. Reviewing users’ NPM granular tokens to ensure that access is not over-broad

The timing of this attack seems to be aligned with the phase-out of classic NPM tokens, perhaps aiming to capitalize on over-broad access as users make the switch to granular tokens.

Follow Checkmarx Zero:

Tags:

NPM

Open-Source Supply Chain

Shai-Hulud

Supply Chain Security

Worm