Shai Hulud 2.0, now with a wiper flavor

Kaspersky describes Shai Hulud 2.0, a two-stage worm that infects npm packages by abusing developer npm tokens: an unobfuscated bootstrap (setup_bun.js) installs a Bun runtime which runs a large obfuscated payload (bun_environment.js) that harvests GitHub and cloud credentials, exfiltrates data to attacker-controlled GitHub repositories, self-replicates by injecting malicious files into maintainers' packages and republishing them, and — if unable to exfiltrate — triggers destructive file-wiping; over 800 packages were infected and Kaspersky blocked more than 1,700 attacks.