New Supply Chain Attack Targets npm: What IT Managers Need to Know

A second wave of attacks on the npm registry, named Sha1-Hulud, has emerged, compounding the security concerns initially raised by the previous Shai-Hulud attack. This new phase has compromised hundreds of npm packages, riskily executing malicious code during installation.

Key Details

Who: Security vendors including Wiz, Aikido, and Koi Security report on this attack.

What: The Sha1-Hulud campaign has introduced trojanized npm packages that execute harmful scripts to steal credentials during the installation process.

When: The compromised packages were uploaded between November 21 and 23, 2025.

Where: This attack primarily targets users of the npm registry, affecting thousands of repositories.

Why: The attack is significant as it increases exposure to credential theft in build and runtime environments, potentially harming organizations’ security postures.

How: The malware installs a preinstall script that executes malicious actions, including registering the infected machine as a self-hosted runner to exfiltrate secrets from GitHub.

Why It Matters

This incident highlights vulnerabilities in:

• Enterprise Security: Illegitimate packages can compromise even secure environments.
• Multi-cloud Adoption: Organizations using npm across various platforms need to reassess integration and dependency management.
• Compliance: The risk of data breach raises compliance challenges in industries with stringent regulations.

Takeaway for IT Teams

IT professionals should act promptly by scanning for impacted npm packages, removing any compromised versions, rotating credentials, and auditing repositories for suspicious workflows. This is critical to mitigating the heightened risk associated with the ongoing Sha1-Hulud threat.

For ongoing updates and best practices, stay informed at TrendInfra.com.