ADVERTISEMENT

Shai-Hulud supply chain attacks back with a vengeance, impacting 28k GitHub repositories

The Shai-Hulud supply chain attack campaign, already responsible for compromising hundreds of CrowdStrike’s NPM packages in September, is back with a vengeance, according to a new warning by cybersecurity firm Aikido.

npm package compromise

Image by Cybernews.

Stefanie Schappert
Stefanie Schappert Senior Journalist
Nov 25, 2025 Updated: 25 November 2025 4 min read

Escalating campaign started months ago

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Add us as your Preferred Source on Google.
ADVERTISEMENT

The 'Second Coming'

August 27 - Aikido report details S1ngularity campaign targeting several nx packages on npm.
September 16 - First wave of the Shai-Hulud attacks.
September 18 - Aikido publishes follow-up analysis on campaign.
November 24 - Second wave of attacks, threat actor dubs “Second Coming.”
The Attacker Timeline
Shai-Hulud attack  The Second Coming
Section of compromised packages, "Sha1-Hulud: The Second Coming" repository description, Attackers use similar techniques in 2nd attack wave, exposing 26.3k GitHub repositories. Images by Aikido.

What can organizations do now?

  • Audit all Zapier/ENS-related npm dependencies and versions.
  • Rotate all GitHub, npm, cloud, and CI/CD secrets used during installs.
  • Check GitHub for strange repos with the description “Sha1-Hulud: The Second Coming”
  • Disable npm postinstall scripts in CI where possible.
  • Pin package versions and enforce MFA on GitHub and npm accounts.
  • Use tools like Safe-Chain to block malicious packages on NPM

ADVERTISEMENT