Shai-Hulud cyberattack hits over 25,000 npm projects, stealing developer credentials

A second wave of the Shai-Hulud supply-chain attack has struck the npm software ecosystem, affecting more than 25,000 projects and hundreds of developers, Israeli tech firm Sola Security announced on Tuesday.

The stolen data includes GitHub access tokens, npm credentials, and cloud provider keys such as AWS, Azure, and GCP passwords. Once captured, this information is uploaded to GitHub repositories controlled by the attackers, labeled “Sha1-Hulud: The Second Coming.”

Unlike the first Shai-Hulud attack, this version spreads automatically. It can inject itself into other npm packages managed by infected developers, and it scans for additional credentials to steal. If the malware cannot obtain access or credentials, it triggers a destructive “fail-safe” that attempts to erase the user’s home directory or gain full system control on Linux machines using Docker.

Security experts warn this is a major escalation in software supply-chain attacks, because the malware runs without human interaction, spreads rapidly, steals highly sensitive credentials, and has the potential to destroy data. Developers and organizations are urged to scan for compromised packages, remove infected versions immediately, rotate all passwords and tokens, and audit GitHub workflows for suspicious files or repositories to prevent further compromise.

Sola security tracks infected npm packages in real time, enabling companies to access the latest information on such attacks. The Israeli company also has a publicly available manual that companies can use to quickly check whether their projects have been affected.