Sha1-Hulud 2.0: The Second Coming

It’s 4:27 AM. Your phone is buzzing. Again. Then it’s an email from your CNAPP tooling vendor titled Ongoing Supply Chain Campaign, referencing Shai-Hulud, Oh no! Shai-Hulud is back, and additional dependencies, such as Zapier, ENS Domains, PostHog, and Postman, have been trojanized. This is the first self-replicating worm that compromised npm packages with cloud token-stealing malware.

Back story: Shai-Hulud was first discovered in September 2025, following a software supply chain attack in the open-source community. This created Panic for everyone, but it was eventually contained and mitigated. You can read more on it from the Wiz research team articles here.

Indeed, the resurgence of Sha1-Hulud 2.0: The Second Coming has caused widespread concern within the technology industry today, November 24th, 2025. This worm has triggered a wave of fear and worry across the tech space. This is to the point that Snyk, Wiz, and many other vendors were proactive in quickly addressing the malware to prevent widespread impact for their affected customers.

This outbreak has already surpassed the initial Shai-Hulud situation, with over 800 npm packages having been trojanized and numerous GitHub repositories impacted. At the time of writing this technical wiki, the blast radius has crossed over 25k, and more. The malware has rapidly spread among various maintainers, including those mentioned above ( Zapier, ENS Domains, PostHog, and Postman)

While doing more research, I found a research article by the KOI team explaining that the resurgent is so aggressive that it has a fallback mechanism, meaning when the malware fails to authenticate or establish persistence, then it attempts to destroy the victim’s entire home directly. The malware deletes every writable file owned by the current user under the home directory. Also, these fallback mechanisms are triggered if it cannot authenticate to GitHub, it cannot create a GitHub repository, it cannot fetch a GitHub token, or it cannot find an NPM token.

While researching, I found a KOI team article explaining the aggressive resurgent’s fallback mechanism. If the malware fails to authenticate or persist, it attempts to destroy the victim’s home directory by deleting all writable files under the user’s home directory. These mechanisms are triggered if authentication to GitHub, repository creation, token fetching, or NPM token finding fails.

Recommendation Action

Snyk has updated its reporting filter, so you can search for the new campaign, such as Shai-Hulud.
Wiz shared actionable recommendations even for non-affected organizations:
- Monitor - Track any new package installations from affected namespaces like AsyncAPI, PostHog, Browserbase, and Postman.
- Review CI/CD - Verify build pipelines have restricted outbound network access.
- Rotate credentials - Implement regular rotation for npm and GitHub tokens
- Restrict lifecycle scripts - Consider blocking preinstall/postinstall execution in production.