A major new wave of supply chain attacks has struck the npm ecosystem, with more than 19,000 GitHub repositories compromised within hours. The incident, tracked as the latest ‘Shai Hulud’ malware campaign, is targeting high-profile projects, including core libraries used by Zapier and the Ethereum Name Service (ENS) ecosystem.
Rapid escalation
Aikido Security detected the attack early in the morning and quickly revealed a scale not previously observed in npm-related incidents. Over 19,000 repositories are now affected, compared to 180 during a similar campaign in September. In just hours, the malware variant “Shai Hulud: The Second Coming” seizes developer credentials and spreads across an expanding set of packages in the npm ecosystem.
Attack method
The malware exploits npm packages to automatically search the developer’s local environment for sensitive credentials, including passwords, API keys, and cloud secrets. After harvesting credentials, they are immediately published in new public GitHub repositories. The attackers use a tool called TruffleHog to extract these secrets, which are then marked as “Sha1-Hulud: The Second Coming.” Any GitHub or npm credentials obtained are in turn used to compromise yet more packages, creating an expanding chain of infections.
High-profile packages affected
Among the most heavily impacted are several key Zapier libraries, including @zapier/zapier-sdk, zapier-platform-core, zapier-platform-cli, and zapier-platform-schema, as well as tools for the Zapier and ENS developer communities. At least 60 npm packages have been confirmed compromised, with the list growing. The ENS ecosystem, which underpins Ethereum Name Service applications, has seen critical components such as @ensdomains/ens-validation and @ensdomains/ensjs compromised.
Propagation scale
The methodology used by the attackers has proven to be significantly faster and more resilient than in previous incidents. A ‘webhook’ bottleneck limited the September variant. This time, attackers are dumping credentials straight to public repositories, bypassing past technical constraints. As a result, any infected developer or CI/CD system with exposed credentials can instantly become a new infection vector, accelerating the spread exponentially.
Developer actions
Organisations are urgently cross-referencing their installed packages against published lists of compromised dependencies. Uninstalling affected package versions and rotating credentials are immediate priorities. Developers are searching for unauthorised repositories in their GitHub accounts with references to Shai Hulud and disabling risky package scripts in continuous integration environments. There is a strong emphasis on enforcing multi-factor authentication for npm and GitHub accounts.
“This incident shows how the attackers have learned from previous campaigns. By cutting out bottlenecks and automating credential dumping, they’ve achieved a scale and velocity we haven’t seen before in the npm ecosystem,” said Charlie Eriksen, Security Researcher, Aikido Security.
