Npm

CERT-FR issued a bulletin on November 27, 2025 describing an active supply-chain campaign against npm packages that began on November 23, 2025, has affected 700+ packages, executes via a preinstall script to harvest secrets, self-propagate, and in some cases destroy user data; they advise hunting for bun_environment.js, auditing installed versions, temporarily freezing updates, and rotating exposed secrets. (cert.ssi.gouv.fr)

Intrusion Flow

• Initial execution (developer laptop or CI): Compromised npm package versions add a package.json preinstall that runs setup_bun.js, which installs or locates the Bun runtime and launches a large payload bun_environment.js. (wiz.io)
• Credential theft and exfiltration: The payload enumerates environment variables and config files and invokes TruffleHog to capture credentials, then exfiltrates to attacker-created GitHub repositories often labeled with Shai-Hulud-themed descriptions; cross-victim exfiltration has been observed. (cert.ssi.gouv.fr)
• Persistence and remote control: The malware registers a self-hosted runner named “SHA1HULUD” and drops a .github/workflows/discussion.yaml workflow so that creating a GitHub Discussion executes arbitrary commands on the victim’s self-hosted runner; a formatter_*.yml workflow is used to collect GitHub Actions secrets into actionsSecrets.json. (wiz.io)
• Self-replication: Stolen npm tokens and GitHub access allow the actor to publish trojanized versions of additional packages under compromised maintainers, driving rapid worm-like spread across ecosystems. (wiz.io)
• Destructive fallback: Analyses report a “dead man’s switch” that may delete user data (e.g., the home directory) when the malware cannot exfiltrate or persist; CERT-FR also warns about possible user-data deletion. (about.gitlab.com)

Key Artifacts to Pull

• Project and dependency state:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml (to diff against clean versions announced by vendors such as Postman and PostHog). (blog.postman.com)
• On-disk indicators:
  • setup_bun.js and bun_environment.js in package tarballs or node_modules; auxiliary files cloud.json, contents.json, environment.json, truffleSecrets.json. (wiz.io)
  • Suspicious GitHub workflows: .github/workflows/discussion.yaml and formatter_*.yml. (wiz.io)
• GitHub infrastructure state:
  • Presence of self-hosted runners named “SHA1HULUD.” Use the GitHub REST API to list runners at org/repo scope during triage. (wiz.io)
• Package manager caches and global install context:
  • npm cache directory (default on POSIX: ~/.npm with _cacache) for corroborating when/what versions were fetched. (docs.npmjs.com)

Example triage commands (read-only where possible):

On November 5, 2025, GitHub disabled creation of classic npm tokens and tightened controls on granular tokens; write-capable granular tokens now enforce 2FA by default and are limited to a maximum 90-day lifetime, with a seven-day default for new write tokens. GitHub also indicated that local publishing sessions would shift to two-hour tokens, and initially targeted November 19 for revoking all remaining classic tokens. Validate the current cutoff in your environment-GitHub’s community channel noted a possible shift to December 9 to coincide with CLI improvements-then proceed as if long-lived classic credentials are dead and rotation is mandatory. (GitHub Changelog, Nov 5, GitHub Changelog, Sep 29, GitHub Community discussion, Nov 13). (github.blog)

Kaspersky reported on October 17, 2025 that a malicious npm package named https-proxy-utils masqueraded as a proxy helper and, during installation, executed a postinstall script that fetched and launched an AdaptixC2 agent; the package has since been removed from npm (Securelist). The lure name mimicked popular packages like http-proxy-agent and https-proxy-agent, and even cloned functionality from proxy-from-env to appear legitimate (Securelist).

AdaptixC2 is an open-source, cross-platform post-exploitation framework with server components in Go and a Qt client, providing beacons and listeners across Windows, macOS, and Linux-features attractive both to red teams and threat actors (AdaptixC2 GitHub).