Massive supply‑chain chaos: SHA1-HULUD strikes again
TL;DR
- A new Sha1-Hulud npm supply-chain attack occurred Nov 21–23, 2025, compromising hundreds of npm packages.
- Compromised packages run install-time scripts to steal developer, CI/CD, and cloud credentials.
- Thousands of downstream repositories have pulled compromised versions, making this an active incident.
- Users should check dependencies, workflows, and rotate credentials if affected packages are found.
- Harden deployment by using least-privilege tokens, enforcing lock-files, disabling install-scripts, and enabling secret scanning.
A new wave of the Sha1-Hulud npm supply‑chain attack was launched between November 21–23 2025, involving hundreds of trojanized npm packages that run install‑time scripts to harvest developer, CI/CD and cloud credentials, and exfiltrate them into attacker‑controlled GitHub repositories.
Affected libraries span multiple high‑visibility namespaces, and thousands of downstream repositories appear to have pulled the compromised versions. This is an active, evolving incident.
💡 We are actively collecting all known compromised package names from multiple sources and publishing a live‑updating page here.
What to do now
1. Check for affected dependencies
Review your codebases, lock‑files, SBOMs and registries for any npm versions published between November 21–23, 2025 that match the compromised lists.
If found: Remove the malicious versions, clear caches, reinstall clean versions, and preserve artifacts for forensics.
Using Sola:
Install the dedicated app from the Sola App Gallery.
This app includes ready‑to‑use queries for identifying vulnerable packages known so far.
Use Sola to query for vulnerable package names and versions. Connect your GitHub as a data-source and prompt Sola to scan for compromised or vulnerable packages.
2. Check your workflows
Inspect for suspicious changes in the past few days:
- New or unexpected repositories
- Altered workflow files
- Anomalous token usage
- Repository visibility changes
- Unexpected automation/bot activity
3. Rotate credentials if you identify an affected package
If you found a compromised package in a developer machine, CI job or build pipeline, assume secrets from that environment may have been exposed and rotate:
- GitHub Personal Access Tokens / automation tokens
- npm tokens
- Cloud/service API keys
- CI/CD credentials & environment variables
4. Harden your deployment processes
Use least‑privilege for tokens, enforce lock‑files/pinned versions, disable install‑scripts where possible, and enable automated secret‑scanning and dependency‑integrity controls.
Further reading
- Aikido Security: Shai-Hulud Strikes Again – Second Wave Targeting Major Package Namespaces
- Wiz Research: Shai-Hulud 2.0 – Ongoing npm Supply Chain Attack
- CISA Alert: Widespread Supply Chain Compromise Impacting npm Ecosystem
- Palo Alto Networks Unit 42: ‘Shai‑Hulud’ Worm Compromises npm Ecosystem in Supply Chain Attack
- Sonatype Blog: Ongoing npm Software Supply Chain Attack Exposes New Risks
- JFrog Blog: Shai‑Hulud npm supply chain attack – new compromised packages detected
- Upwind Feed: Shai Hulud 2.0: The NPM Supply Chain Attack Returns as an Aggressive Self-Propagating Worm
Tackle Sha1-Hulud and everything else.
Make your war room less war-y.
Frequently asked questions
Chief Information Security Officer, Sola Security
Yoni has spent the past decade leading security engineering at companies like Meta (formerly Facebook) and AppsFlyer, and now brings his sharp eye and steady hand to Sola as CISO. Known for phishing drills so sneaky they make the real attackers take notes, he stays chill even when everyone else is refreshing dashboards and reaching for incident snacks.
