SHA1-HULUD Malware Infects Developers, Posts Secrets to Their Public GitHub Repos

According to researchers at Wiz, a supply chain attack on npm packages is exfiltrating developers’ credentials and posting them to public GitHub repositories.

Wiz Research is tracking over 25,000 affected repositories created across ~350 unique users. A thousand new repositories are being added consistently every 30 minutes throughout the initial hours of this campaign. In addition, Wiz has identified newly compromised packages that contain files linked to this activity.

Wiz says the attack “compromised a large number of packages, including Zapier packages, ENS domains packages, ecosystem packages and more. Newly compromised packages are still being identified.”

The payload registers the infected machine as a self hosted runner named 'SHA1HULUD'.

The name is a reference to Dune and also likely the ”wormable“ nature of the malware, meaning it‘s able to automatically spread itself without human input.

This incident comes after a similar malware incident back in September.

The researchers recommend that developers clear their npm cache, rotate all credentials, remove anything from your GitHub and CI/CD environments referencing shai-hulud, and harden automation pipelines.