New Shai-hulud worm spreads: What to know

ReversingLabs reports a large-scale supply-chain malware campaign dubbed “Shai-hulud” and its November 2025 resurgence (“Sha1-Hulud: The Second Coming”) affecting hundreds of npm packages (document cites ~795 compromised packages) including widely used libraries that have millions of downloads; the worm propagates by injecting malicious lifecycle scripts (e.g., preinstall calling setup_bun.js which runs bun_environment.js), harvests cloud and repository tokens with tools like TruffleHog, exfiltrates data to thousands of attacker-created GitHub repositories (RL observed >27,000), and the 2.0 variant introduces wiper capabilities — the report includes IoCs and mitigation guidance (2FA, short-lived tokens, provenance, CI/CD hardening).