A worm called "Shai-Hulud: The Second Coming" is spreading through npm right now. Zapier, Postman, PostHog, ENS Domains, AsyncAPI. All infected between November 21-24, 2025.
The name comes from the giant sandworms in Dune. And just like those worms, this malware spreads fast and leaves destruction behind.
Attackers hacked package maintainer accounts and uploaded infected versions of the original packages. When you run npm install, the malicious code runs automatically. Before the installation even finishes. Before you notice anything.
The malware scans your system for secrets. API keys, GitHub tokens, npm credentials, AWS keys, SSH keys. Everything it finds gets uploaded to public GitHub repos with the description "Sha1-Hulud: The Second Coming."
It also installs a backdoor on your machine. The attackers can run commands on your system whenever they want, even after you think you've cleaned up. And if the malware can't steal your data? It wipes your entire home directory instead.
→ 700+ npm packages infected
→ 25,000+ GitHub repos now contain stolen credentials
→ 132 million monthly downloads affected
→ New stolen secrets appearing every 30 minutes
Check your package.json for:
→ @zapier/* packages
→ @postman/tunnel-agent
→ posthog-node
→ @ensdomains/* packages
→ @asyncapi/* packages
Quick check:
cat package.json | grep -E "zapier|postman|posthog|ensdomains|asyncapi"
If you installed ANY of these between November 21-24:
- Assume all credentials on that machine are stolen
- Change everything: GitHub tokens, npm tokens, AWS keys, Azure tokens
- Search GitHub for "Sha1-Hulud: The Second Coming" - your data might be there
- Check your .github/workflows/ folder for files you didn't create
- Use package versions from before November 21
This is why supply chain attacks work. You don't download malware. You trust a package manager. And attackers exploit exactly that trust.
THIS IS A COPY POST, I JUST WANTED TO LET YOU GUYS KNOW ABOUT THAT
Top comments (0)