A second wave of attacks on the npm registry threatens thousands of projects.
Date: 2025-11-26 Author: Gabriel Deangelo Categories: BUSINESS
Cybersecurity researchers from Aikido Security, Koi Security, Socket, and other organizations have reported a second attack on npm, a popular JavaScript package repository. The campaign, dubbed Sha1-Hulud: The Second Coming, compromised between 400 and 800 packages, though the exact number may be higher. This wave of attacks affected over 25,000 GitHub repositories, including projects like Zapier, ENS, AsyncAPI, PostHog, and Postman.
Sha1-Hulud is a self-replicating npm worm that uses the preinstall script (setup_bun.js) to surreptitiously install and run the malicious file bun_environment.js. Thus, the infection spreads automatically when packages are installed. The attackers use TruffleHog to search for and steal data. Unlike the first wave, the new attacks are more aggressive and can delete user data if they fail to steal credentials or tokens, according to Koi Security.
"If Sha1-Hulud fails to steal data, it destroys it, making the second wave of attacks more destructive than the first, which focused solely on information theft," the researchers explained.
The attack was active from November 21 to 23, 2025, and is still ongoing. Among the compromised packages, at least 10 are actively used in the cryptosphere, including ensjs, ens-validation, ethereum-ens, and ens-contracts, which are associated with the Ethereum Name Service and are downloaded thousands of times weekly. The crypto-addr-codec package was also affected.
Similar incidents have been reported previously: attackers hacked the npm account of a qix developer, allowing them to compromise several popular libraries, but the damage was only $50.
Experts emphasize that this campaign demonstrates the evolution of hacker tactics—from simple data theft to outright sabotage and data destruction. npm users are advised to carefully check package sources and use code integrity tools to minimize the risk of infection.
