Overview
- Researchers say hundreds of npm packages were compromised between November 21 and 23, including projects from Zapier, ENS Domains, PostHog, Postman and AsyncAPI.
- Wiz reported more than 25,000 affected repositories across roughly 350 users with about 1,000 new entries appearing every 30 minutes, while GitHub deletes attacker-created repos as new ones emerge.
- The payload uses setup_bun.js and a large bun_environment.js file to scan systems, create cloud.json and related data files, and publish encoded secrets to repositories described as “Sha1-Hulud: The Second Coming.”
- The campaign abuses compromised maintainer accounts and stolen npm or GitHub tokens to inject workflows and register self-hosted runners for rapid propagation, with attribution not confirmed.
- Security vendors issued detections and guidance, including Docker’s advisory and Snyk’s monitoring, as teams are urged to roll back or pin safe versions, clear npm caches, rotate all tokens, audit workflows and note reports of destructive fallback behavior in some variants.