Your sandworm is back
The Shai-Hulud attack is back and impacts a large number of users across GitHub and npm.
Among popular packages, Zapier’s npm repositories were affected by the updated Shai-Hulud attack.
Overview
A compromised npm package ran and stole developer and API keys. Using those keys, the attacker spreads the malicious code by uploading newer versions of the npm packages of the affected users, and uploading their credentials to GitHub with a description “Sha1-Hulud: The Second Coming.”
Who is affected
Developers and organizations that installed the tainted versions during the brief time window before takedown. Regular end-users are indirectly at risk if the apps they use were built during that period of time with the compromised packages.
Impact
- 28k GitHub repositories affected.
- 5k files containing exfiltrated secrets.
- Potential exposure of:
- GitHub tokens and actions secrets
- npm tokens
- Cloud service keys (AWS, GCP, etc.)
- GitHub tokens and actions secrets
- High likelihood of additional malicious updates being propagated using stolen credentials.
Recommended Actions
Immediate Containment:
- Remove or downgrade affected package versions and rebuild from a clean cache or artifact source.
- Rotate, revoke, and replace all credentials used on affected machines or CI runners (npm tokens, GitHub PATs, Action secrets, cloud keys).
- Audit logs for suspicious installs, unauthorized publishes, or automated workflow activity.
- Check GitHub accounts for repositories with random 18-character names and the description: “Sha1-Hulud: The Second Coming.” If found:
- Remove the repository.
- Review contents/history to understand the scope of the leak.
- Remove the repository.
Full System Remediation:
- Consider affected machines fully compromised; full reinstallation or reimaging is preferred.
Technical Analysis
The OX Security team found over 28k GitHub repositories which contain the new Shai-Hulud attack with the “Sha1-Hulud: The Second Coming.” description in the repository, inside it are multiple files, such as:
- actionsSecrets.json
- cloud.json
- contents.json
- environment.json
- truffleSecrets.json
Each of them contains a double base64 encoded JSON with all of the compromised information the attacker uploaded to the victim’s GitHub account. The attacker also used the TruffleHog open source for secret scanning, and uploading the found secrets to the compromised accounts.
Over 5k files uploaded to GitHub with the compromised credentials, secrets and API keys.
Over 28k repos uploaded to GitHub with the Shai-Hulud description:
After decoding the information using a double decode base64 function, we can see all of the compromised data of the user’s account, including github token, AWS and GCP secrets
Part of the attack vector used, includes weaponizing TruffleHog in order to find and exfiltrate secrets from the compromised machines:
The attacker also used the GitHub actions runner in order to connect to GitHub and upload new repositories in the name of the compromised user.
The attackers then use it to create the exfiltration repository with the “Sha1-Hulud: The Second Coming” description:
Affected Packages
| Package name | Affected versions |
| @accordproject/concerto-analysis | 3.24.1 |
| @accordproject/concerto-metamodel | 3.12.5 |
| @accordproject/concerto-types | 3.24.1 |
| @accordproject/markdown-it-cicero | 0.16.26 |
| @ensdomains/address-encoder | 0.1.5 |
| @ensdomains/content-hash | 3.0.1 |
| @ensdomains/dnsprovejs | 0.5.3 |
| @ensdomains/dnssecoraclejs | 0.2.9 |
| @ensdomains/ens-contracts | 1.6.1 |
| @ensdomains/ens-validation | 0.1.1 |
| @ensdomains/ensjs | 4.0.3 |
| @ensdomains/eth-ens-namehash | 2.0.16 |
| @ensdomains/react-ens-address | 0.0.32 |
| ethereum-ens | 0.8.1 |
| @zapier/ai-actions-react | 0.1.12, 0.1.13, 0.1.14 |
| @zapier/mcp-integration | 3.0.1, 3.0.2, 3.0.3 |
| @zapier/secret-scrubber | 1.1.3, 1.1.4, 1.1.5 |
| @zapier/stubtree | 0.1.2, 0.1.3, 0.1.4 |
| @zapier/zapier-sdk | 0.15.5, 0.15.6, 0.15.7 |
| zapier-platform-cli | 18.0.2, 18.0.3, 18.0.4 |
| zapier-platform-core | 18.0.2, 18.0.3, 18.0.4 |
| zapier-platform-schema | 18.0.2, 18.0.3, 18.0.4 |
| zapier-scripts | 7.8.3, 7.8.4 |
Conclusion
Shai-Hulud demonstrates how threat actors continuously evolve their tactics, leveraging previously defensive tools (like TruffleHog) offensively.
To protect your organization:
- Enforce hardware-based 2FA and short-lived tokens.
- Implement a cool-down period for new package adoption.
- Conduct organization-wide reviews of new package versions.
- Combine these with SBOM-driven inventory and automated blocklists for stronger protection.
This attack reinforces that securing the modern software supply chain requires proactive, layered defenses rather than reactive cleanup after compromise.
