New Shai-Hulud variant uses preinstall script for credential theft

Threat summary

On November 24, 2025, researchers reported on a new campaign impacting the npm registry, noting its rapid propagation capabilities. This marked the second wave of Shai-Hulud activity, the first of which we reported on back in September. The new variant was named “Sha1-Hulud” and is sometimes referred to as “Shai-Hulud 2.0”. 

Between November 21 and 23, threat actors were observed uploading trojanized npm packages executing malicious code during the preinstall phase. The campaign introduced new payloads, including setup_bun.js and bun_environment.js, which exploit Bun runtime’s ability to run large, obfuscated scripts with suppressed output. This enables credential theft and unauthorized GitHub workflow creation while evading detection.

The malware exfiltrates developer and CI/CD secrets to attacker-controlled GitHub repositories and attempts to create unauthorized GitHub workflows, enabling persistence and further propagation. The campaign leverages compromised maintainer accounts to publish malicious versions of legitimate packages, including Zapier SDK, ENS Domains libraries, and PostHog agent modules.  

Analyst insight

Unlike the first wave of attacks, which primarily relied on post-install credential theft, this variant executes earlier in the installation process, increasing exposure in both build and runtime environments.

Bun is a modern JavaScript runtime known for its fast startup times and tight integration with npm workflows, making it an attractive tool for threat actors seeking early execution before dependencies are installed or security checks occur. Because the npm registry is the default package manager for JavaScript and Node.js applications. it's widely used across enterprise and cloud environments and a critical component of modern software supply chains.

The impact from this malware could include credential theft (GitHub tokens, npm tokens, cloud credentials), unauthorized package publication, and worm-like propagation across repositories. The worst-case scenario involves compromise of enterprise build pipelines and cloud infrastructure, leading to unauthorized access to source code and sensitive environments. Exploitation is not technically complex, as it relies on developers installing compromised packages, making the attack vector broad and opportunistic.

Organizations should regularly audit npm dependencies, rotate exposed credentials, and harden CI/CD pipelines against preinstall script execution. Deploying a cybersecurity solution with 24x7 monitoring, like Field Effect MDR, ensures rapid detection of credential theft and containment of Shai-Hulud 2.0’s worm-like propagation.

Field Effect MDR continuously monitors endpoint and network activity, detecting unusual script execution, unauthorized outbound connections, and suspicious repository creation attempts. Once malicious activity is detected, Field Effect MDR provides automated or analyst-driven response actions such as isolating affected endpoints and blocking outbound traffic to attacker infrastructure.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up