These sorts of NPM worms have been around for a LONG time.

It's typically due a common practice of low 2fa opt-in on NPM accounts.

So be sure to setup NPM 2FA if you're a package maintainer do that asap!

A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts. 👇🏿

https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

#GitHub #NPM #Microsoft #Sha1Hulud #nodejs #javascript

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

Just checked back on the Sha1-Hulud virus/worm. FINALLY npm appears free of obviously infected packages.

I still however am seeing infected machines posted their private data publicly on GitHub.

Not only that, I can see infected developer's github repos are being defaced in realtime.

These microsoft owned platforms seem to be really struggling with stopping this worm.

Query for defaced repos 👇🏿

https://github.com/search?q=api.airforce&type=repositories&s=updated&o=desc

#NPM #microsoft #github #Sha1Hulud #WalkWithoutRhythm #cybersecurity

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

Running my NPM checks again today, I see eight remaining infected packages still circulating on the Microsoft owned platform.

Unlike nodejs package index https://socket.dev NPM does not show ANY security warnings on these package's pages.

It's pretty wild that these known compromised packages have been circulating for four days now with now response or action from Microsoft despite it being one of the largest security stories this month.

#NPM #microsoft #GitHub #Sha1Hulud #cybersecurity

Now that the acute phase is slowing there's a VERY important question...

What is actual fucking value does Microsoft (a trillion dollar company) owning GitHub & NPM bring at all?

This shit was an absolute corporate buyout disaster. How the ever living fuck has microsoft owned NPM for FIVE years and still not done proper MFA requirements for publishing packages on NPM.

How the actual fuck are well known vulnerable packages STILL being propagated by NPM.

#microsoft #NPM #GitHub

#Breaking There's an active nodejs supply chain attack going around.

From the looks of it many of these compromised packages have been mitigated but quite a few have not.

https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

#nodejs #cybersecurity #aws #github #npm #trufflehog #go #cyberattack #ShaiHulud #javascript #deno #browser #Sha1Hulud

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a work like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

GitHub has almost finished taking down the stolen data posted by the Sha1-Hulud npm/github worm. I only see about 400 repos remaining of the around 23k created by the worm.

This was the most visible evidence of the exploit, just because we can't clearly see the worm's uploads doesn't mean the worm is totally dead yet.

#Sha1Hulud #GitHub #NPM #nodejs #cybersecurity

Once again, if you are using npm, you may be compromised

>Threat actors have slipped malicious code into hundreds of NPM packages — including major ones from Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman.

https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains

#infosec #npm #zapier #posthog #postman

I was able to track down 3 out of the remaining 5 affected packages and posted bug reports & security alerts to those developers I located.

Sure would be nice if NPM and GitHub did this automatically.... kinda feel like I've done an awful lot of free labor for Microsoft this week.

https://github.com/datapartyjs/walk-without-rhythm/issues/13

#Sha1Hulud #microsoft #npm

Is NPM still dangerous?

Yes, we're down to five known infected packages still circulating on the Microsoft owned platform.

The following five packages continue to spread the Sha1-Hulud worm with no warning at all on the NPM page nor at download/install time:

hyper-fullfacing 1.0.3

@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2

quickswap-ads-list 1.0.33

@seung-ju/react-native-action-sheet 0.2.1

tcsp 2.0.2

#Sha1Hulud #microsoft #npm

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

First pass is super simple and just looks for the file names & package.json signature for signs of infection anywhere in the path you tell it to search.

If it sees anything fishy it tells you where and stops until you've read the alert.

Oh and this only uses bash, sed, awk, grep, curl, and jq. So no npm, node or other big supply chains 🥴

https://github.com/datapartyjs/walk-without-rhythm/blob/main/check-projects

#ShalHulud #WalkWithoutRhythm #nodejs #npm #github #javascript

Running my NPM checks again today, I see eight remaining infected packages still circulating on the Microsoft owned platform.

Unlike nodejs package index https://socket.dev NPM does not show ANY security warnings on these package's pages.

It's pretty wild that these known compromised packages have been circulating for four days now with now response or action from Microsoft despite it being one of the largest security stories this month.

#NPM #microsoft #GitHub #Sha1Hulud #cybersecurity

I'm quickly finding a mix of packages which were compromised, some were months ago and had the bad versions taken down.

However at the same time I'm noticing packages like the one below that were -just- hacked 19 hours ago and still have not been taken down yet!

With how this worm works its a bit of a pencils down moment... you probably should check your packages right now.

https://www.npmjs.com/package/capacitor-voice-recorder-wav?activeTab=code

#nodejs #npm #ShaiHulud #javascript