Overview
- Security teams report hundreds of compromised npm packages, including from Zapier, ENS Domains, PostHog, Postman, and AsyncAPI, uploaded between November 21 and 23.
- The new variant runs in npm's preinstall phase via setup_bun.js and a large bun_environment.js payload, registering self-hosted runners and injecting GitHub workflows for remote command execution.
- Wiz observed more than 25,000 affected repositories linked to roughly 350 users with surges of about 1,000 new repos every 30 minutes, as GitHub removes attacker-created repos that continue to reappear.
- Stolen developer and CI/CD secrets are published to public GitHub repositories often labeled "Sha1-Hulud: The Second Coming," raising the risk of downstream exploitation despite no confirmed attribution.
- Researchers warn some variants attempt destructive data wipes if exfiltration fails, while vendors including Snyk and Docker deploy detection updates and advise immediate package rollback, cache clearing, and token rotation.