The Shai-Hulud campaign is back, but this time with improved automation, persistence tactics, and a new name. In a matter of days, the self-replicating "Sha1-Hulud" malware has resulted in thousands of malicious packages, including some legitimate packages that were hijacked. And the campaign is ongoing.
The initial Shai-Hulud was a self-spreading malware campaign targeting npm in September 2025, automatically creating and publishing new malicious packages — each one cloning and propagating itself across repositories to expand its reach. This version, Sha1-Hulud, is even more sophisticated (and punnier).
Initially reported by researchers at Wiz and Aikido, this new wave shows how adversaries are now scaling their operations using the very automation developers rely on every day. Expanding on this, Sonatype Security Research discovered over 2,100 malicious packages associated with this campaign (tracked as sonatype-2025-007248). This campaign is ongoing, and new packages continue to be implicated.
Sonatype also observed that both ChatGPT and Gemini incorrectly classified the malicious packages as safe when asked to analyze the payloads, highlighting the limits of agentic and generative AI-based code review. Threat actors are likely writing code designed to avoid AI detection, and they will only get more effective.
Unlike earlier supply chain compromises that focused on injecting malicious code into individual packages, Sha1-Hulud extends its reach into the broader development ecosystem. This shift marks a clear evolution in attacker behavior — from targeting open source components to weaponizing the entire software delivery process.
From Malicious Packages to Malicious Pipelines
The original Shai-Hulud campaign showed how stolen maintainer credentials could be used to publish trojanized npm packages. Instead of stopping at a single package, the attacker uses harvested credentials to automate the next stage of infection — turning build systems and developer pipelines into delivery mechanisms. The new Sha1-Hulud goes further.
Once installed, malicious scripts search local environments for npm tokens, GitHub credentials, and cloud keys. Those secrets are exfiltrated and reused to publish new packages on npm. Sha1-Hulud transforms the interconnected software supply chain into its own distribution network.
What This Wave Tells Us
Sha1-Hulud shows how quickly attacker tradecraft is evolving, and how easily it now blends into legitimate development workflows. Rebranding as Sha1-Hulud in a nod to the SHA-1 hashing algorithm (or perhaps posing as the same threat actor to dupe researchers), this worm automates the supply chain compromise process end-to-end.
With stolen credentials and continuous integration hooks, the actor can move between projects in minutes, turning every dependency, build runner, and access token into a potential distribution point. This marks a clear shift from package-level compromise to ecosystem-level exploitation — a turning point in how open source automation is being weaponized. Speed and automation no longer serve only developers; they amplify both innovation and attack surface.
The new samples are unusually large and use a non-standard JavaScript runtime to collect local data, which is then published to public GitHub repositories as .json files by the victim's account. In testing, Sonatype Security Research observed that AI-based code analysis tools failed to classify the payload accurately, likely due to the more than 200,000 lines of code. Large-language models exceeded their context limits, lost track of logic, and, seeing no outbound connections to suspicious domains, mislabeled the code as legitimate.
It's a clear signal of where attacker innovation is heading — adversaries learning not only to exploit automation, but also to hide from the AI systems built to detect them.
What Developers Must Do Now
-
Audit recent npm activity: Review dependencies updated since mid-November 2025 for unusual versioning or install behavior. Use Sonatype Lifecycle to create an up-to-date SBOM and identify projects using malicious or suspicious npm versions.
-
Rotate and scope credentials: Replace npm, GitHub, and CI/CD tokens. Enforce MFA and use short-lived, least-privilege tokens. For consistency at scale, pair these operational controls with Sonatype Lifecycle policy enforcement to detect and block deployments with compromised credentials or unauthorized package versions.
-
Inspect lifecycle scripts: Check preinstall, install, and postinstall hooks for obfuscated code or network calls. Sonatype Repository Firewall continuously compares incoming components against Sonatype's Research Intelligence data, automatically quarantining new or suspicious packages.
-
Review GitHub account activity: Look for any recently published GitHub repositories with the description "Sha1-Hulud: The Second Coming."
-
Restrict automation paths: Limit network access from build systems and monitor dependency changes continuously. Sonatype Lifecycle automatically applies policies across your CI/CD pipelines and integrates with repository managers to analyze new dependency versions in real time.
If you're a Sonatype customer, review our documentation about these attacks here.
Attacker Innovation, Defender Adaptation
The Sha1-Hulud campaign underscores how quickly attackers learn from defenders — and how easily automation can be repurposed as a weapon. The same pipelines that power modern development now serve as attack surfaces for credential theft, persistence, and rapid propagation.
For defenders, the path forward is clear. Security controls must operate with the same speed and precision as the systems they protect. Continuous analysis, automated blocking, and deterministic intelligence remain the most reliable defenses against an increasingly automated adversary.
Open source moves fast — and so do those who exploit it. Staying secure means matching that pace, not reacting to it.
Written by Sonatype Security Research Team
Sonatype's Security Research Team is focused on bringing real-time, in-depth intelligence and actionable information about open source and third party vulnerabilities to Sonatype customers.
Tags
