A substantially evolved variant of the Shai-Hulud malware, now identified as Sha1-Hulud, has been uncovered with more than 800 affected packages. This version introduces persistent backdoor functionality through compromised GitHub Actions runners and expanded multi-cloud credential harvesting. The latest iteration reflects a concerning leap in supply chain attack sophistication, adding mechanisms that allow attackers to retain long-term access to infected developer workstations and CI/CD environments even after the initial compromise is detected.
The campaign has successfully infiltrated packages maintained by several major organizations, including PostHog (@posthog/siphash), ENS Domains (@ensdomains/* packages such as ensjs, ens-contracts, and react-ens-address), and Zapier (multiple @zapier/* packages along with zapier-platform-* tooling). Sequential version increments across various Zapier packages (for example, 18.0.2 → 18.0.3 → 18.0.4) illustrate an automated propagation mechanism that continually republishes compromised components.
Evolution from September 2025 Shai-Hulud attack
The September 2025 Shai-Hulud incident primarily concentrated on credential harvesting and self-propagation. In contrast, this new variant incorporates several critical capabilities that mark a significant shift in the overall threat model:
Persistent remote access. Deployment of self-hosted GitHub Actions runners that grant attackers authenticated command execution on infected machines.
Enhanced token recycling. Systematic search for previously stolen GitHub tokens and reuse of those credentials, enabling sustained operation even when primary tokens are revoked.
Multi-cloud secret enumeration. Unified harvesting of credentials across AWS, GCP, and Azure, including extensive scanning of secret managers across 17 AWS regions.
Azure DevOps exploitation. Targeted privilege escalation techniques and network security bypass measures within Azure DevOps Linux environments.
Destructive failsafe. Built-in data destruction routines activated when credential theft attempts fail, likely intended as an anti-forensics safeguard.
A detailed technical analysis of the attack is available through this link.
Conclusion
This advanced Shai-Hulud variant marks a notable escalation in npm supply chain attack techniques. The blend of persistent backdoor access via self-hosted GitHub Actions runners, broad multi-cloud credential harvesting, and automated malicious package propagation forms a highly dangerous threat. It can maintain long-term access to compromised systems. At the same time, it is able to spread rapidly throughout the package ecosystem.
Across the industry, “minimum release age” controls in package managers and Mend Renovate have demonstrated effectiveness in mitigating the impact of this incident by preventing the download of the compromised packages.
