NPM-GLUESTACK-REACT-NATIVE-ARIA-2025

A renewed wave of the Shai-Hulud worm, dubbed Shai-Hulud 2.0 or 'The Second Coming', began around November 21-24, 2025 and affected tens of thousands of GitHub repositories across roughly 350 unique users. The variant moved execution to the pre-install phase, dropped large heavily obfuscated payloads (setup_bun.js and bun_environment.js), and exfiltrated stolen secrets to public GitHub repositories described as 'Sha1-Hulud: The Second Coming'. As an aggressive fallback, it attempted to destroy the victim's entire home directory if credential theft failed.

Shai-Hulud was the first self-replicating worm to hit the npm ecosystem, disclosed around September 15, 2025. Beginning with the compromise of @ctrl/tinycolor (over 2 million weekly downloads), the malware harvested developer credentials (npm tokens, GitHub PATs, and AWS/GCP/Azure secrets) using the TruffleHog secret scanner, then automatically authenticated to npm and republished trojanized versions of every package the victim maintained, spreading exponentially without operator intervention. It exfiltrated stolen secrets to attacker webhooks and public GitHub repositories and established persistence via a malicious GitHub Actions workflow. More than 500 packages were ultimately compromised, including several CrowdStrike packages.

On September 8, 2025, maintainer Josh Junon ('Qix') was phished via a fake npm 2FA-reset email from the spoofed domain support@npmjs.help, giving attackers control of his account. They published malicious versions of 18 foundational packages including chalk@5.6.1, debug@4.4.2, ansi-styles@6.2.2 and strip-ansi@7.1.1, which collectively account for over 2 billion weekly downloads, making it the largest npm supply chain attack by download volume. The injected payload was a browser-based crypto clipper that hooked fetch and XMLHttpRequest, used Levenshtein-distance matching to swap victim wallet addresses across Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash, and hijacked window.ethereum/MetaMask transactions. The malicious versions were live for roughly two hours before removal.

On August 26, 2025, attackers exploited a vulnerable GitHub Actions workflow (added Aug 21) susceptible to code injection via a crafted pull-request title to steal Nx's npm publishing token, then published malicious versions of nx (21.5.0, 20.9.0 and others) and several @nx plugins. The malware scanned the filesystem, collected credentials, npm/GitHub tokens, SSH keys and cryptocurrency wallets, and posted them to public GitHub repositories under victim accounts. Dubbed 's1ngularity', it was the first known supply chain attack to weaponize installed AI CLI tools (Claude, Gemini, q) for reconnaissance. The packages were live for about four hours and thousands of secrets were leaked.

Between March 14 and March 15, 2025 the widely used GitHub Action tj-actions/changed-files was compromised. Attackers rewrote existing version tags up to v45.0.7 to point to a single malicious commit, injecting a Node.js function with base64-encoded instructions that downloaded a Python script scanning the GitHub runner's memory. The payload dumped CI secrets (access keys, GitHub PATs, npm tokens, private RSA keys) into publicly readable workflow logs. More than 23,000 repositories used the action; it was patched in v46.0.1.

On March 11, 2025 between 18:42 and 20:31 UTC, reviewdog/action-setup@v1 was compromised. Attackers gained enough access to repoint the v1 tag to a malicious fork and inserted a base64-encoded payload directly into install.sh that dumped exposed secrets into GitHub Actions workflow logs. Dependent reviewdog actions (action-shellcheck, action-staticcheck, action-typos and others) were transitively affected. This compromise is believed to have been the entry point that led to the broader tj-actions/changed-files attack; deeper analysis found roughly 218 repositories actually leaked secrets.