SHA1-Hulud, npm supply chain incident

On November 24, 2025, a new supply chain attack in the npm ecosystem, known as SHA1-Hulud, was identified, marking a second wave of the previous Shai-Hulud attack from September 2025. This worm infiltrates systems through trojanized npm packages with hidden preinstall scripts, turning compromised machines into attacker-controlled GitHub Actions self-hosted runners. It allows for remote command execution, secrets exfiltration, and credential harvesting across AWS, Azure, and GCP, potentially compromising source code repositories and cloud infrastructure. SHA1-Hulud also employs advanced GitHub workflows and destructive fallback behavior, making it a more automated and dangerous evolution of its predecessor. Snyk is actively monitoring the incident, re-testing customer assets, and updating vulnerability databases, while warning that the worm's ability to spread through package installations and CI pipelines poses a significant supply-chain threat.