The JavaScript ecosystem is facing another critical supply chain attack as the notorious Shai-Hulud worm resurfaces with a new variant labeled "Sha1-Hulud: The Second Coming" by threat actors. Over 70 npm packages have been compromised with malicious code that steals and publicly exposes developer credentials, marking one of the most significant supply chain incidents of recent months. The StepSecurity team is actively investigating this incident and will continue to update this post as new information becomes available.
The Attack Unfolds
The malware, an evolved variant of the September 2024 Shai-Hulud worm, demonstrates sophisticated self-propagation capabilities. Within just 5 hours of initial detection, the impact has already surpassed the original campaign, with over 16,000 public GitHub repositories created containing stolen credentials—all bearing the repository description: "Sha1-Hulud: The Second Coming."
You can see the list of repositories from compromised users / systems here:
https://github.com/search?q=Sha1-Hulud%3A+The+Second+Coming.&ref=opensearch&type=repositories
Compromised Packages
The following packages have been confirmed to contain malicious versions:
Immediate Remediation Steps
Check your package versions immediately
- Affected versions given above.
- Run
npm ls <package>ornpm ls <package>to check your installed versions - Check package-lock.json for any compromised packages
Audit Your GitHub Account
- Check for and delete any repository with description "Sha1-Hulud: The Second Coming."
- Review audit logs for unauthorized access.
- Review security events for your GitHub account by visiting this URL.
Remediate if compromised
- Remove node_modules entirely:
rm -rf node_modules - Clear npm cache:
npm cache clean --force - Update package-lock.json to exclude malicious versions
- Reinstall dependencies with safe versions [Z.Z.Z+]
- Consider full system reinstallation
Rotate exposed credentials
- Rotate ALL credentials immediately:
- GitHub personal access tokens
- npm authentication tokens
- SSH keys
- API keys in .env files
- Claude, Gemini, and q API keys
For StepSecurity Enterprise Customers
The following steps are applicable only for StepSecurity enterprise customers. If you are not an existing enterprise customer, you can start our 14 day free trial by installing the StepSecurity GitHub App to complete the following recovery step.
Use NPM Package Cooldown Check
The NPM Cooldown check automatically fails a pull request if it introduces an npm package version that was released within the organization’s configured cooldown period (default: 2 days). Once the cooldown period has passed, the check will clear automatically with no action required. The rationale is simple - most supply chain attacks are detected within the first 24 hours of a malicious package release, and the projects that get compromised are often the ones that rushed to adopt the version immediately. By introducing a short waiting period before allowing new dependencies, teams can reduce their exposure to fresh attacks while still keeping their dependencies up to date.
Here is an example showing how this check protected a project from using the compromised versions of packages involved in this incident:
https://github.com/step-security/test-reporting/pull/16/checks?check_run_id=49850926488
Discover Pull Requests upgrading to compromised npm packages
We have added a new control specifically to detect pull requests that upgraded to these compromised packages. You can find the new control on the StepSecurity dashboard.
Use StepSecurity Harden-Runner to detect compromised dependencies in CI/CD
StepSecurity Harden-Runner adds runtime security monitoring to your GitHub Actions workflows, providing visibility into network calls, file system changes, and process executions during CI/CD runs. Harden-Runner detects the compromised nx packages when they are used in CI/CD. Here is a sample Harden-Runner insights page demonstrating this detection:
If you're already using Harden-Runner, we strongly recommend you review recent anomaly detections in your Harden-Runner dashboard. You can get started with Harden-Runner by following the guide at https://docs.stepsecurity.io/harden-runner.
Use StepSecurity Threat Center for real-time supply chain threat intelligence
The StepSecurity Threat Center provides comprehensive details about this @ctrl/tinycolor compromise and all 40+ affected packages. Access the Threat Center through your dashboard to view IOCs, remediation guidance, and real-time updates as new compromised packages are discovered. Threat alerts are automatically delivered to your SIEM via AWS S3 and webhook integrations, enabling immediate incident response when supply chain attacks occur. Our detection systems identified this attack within minutes of publication, providing early warning before widespread exploitation.
Use StepSecurity Artifact Monitor to detect software releases outside of authorized pipelines
StepSecurity Artifact Monitor provides real-time detection of unauthorized package releases by continuously monitoring your artifacts across package registries. This tool would have flagged this incident by detecting that the compromised versions were published outside of the project's authorized CI/CD pipeline. The monitor tracks release patterns, verifies provenance, and alerts teams when packages are published through unusual channels or from unexpected locations. By implementing Artifact Monitor, organizations can catch supply chain compromises within minutes rather than hours or days, significantly reducing the window of exposure to malicious packages.
Learn more about implementing Artifact Monitor in your security workflow at https://docs.stepsecurity.io/artifact-monitor.
Credits
This incident was first announced and reported by Aikido Security. For their analysis and ongoing updates, visit the Aikido blog post.
Conclusion
The "Sha1-Hulud: The Second Coming" attack demonstrates that supply chain security remains one of the most critical challenges facing the software development ecosystem. The story is developing and we will continue to update this post as new information becomes available.
.png)
