These sorts of NPM worms have been around for a LONG time.

It's typically due a common practice of low 2fa opt-in on NPM accounts.

So be sure to setup NPM 2FA if you're a package maintainer do that asap!

A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts. 👇🏿

https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

#GitHub #NPM #Microsoft #Sha1Hulud #nodejs #javascript

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

Running my NPM checks again today, I see eight remaining infected packages still circulating on the Microsoft owned platform.

Unlike nodejs package index https://socket.dev NPM does not show ANY security warnings on these package's pages.

It's pretty wild that these known compromised packages have been circulating for four days now with now response or action from Microsoft despite it being one of the largest security stories this month.

#NPM #microsoft #GitHub #Sha1Hulud #cybersecurity

#Breaking There's an active nodejs supply chain attack going around.

From the looks of it many of these compromised packages have been mitigated but quite a few have not.

https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

#nodejs #cybersecurity #aws #github #npm #trufflehog #go #cyberattack #ShaiHulud #javascript #deno #browser #Sha1Hulud

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a work like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

GitHub has almost finished taking down the stolen data posted by the Sha1-Hulud npm/github worm. I only see about 400 repos remaining of the around 23k created by the worm.

This was the most visible evidence of the exploit, just because we can't clearly see the worm's uploads doesn't mean the worm is totally dead yet.

#Sha1Hulud #GitHub #NPM #nodejs #cybersecurity

I was able to track down 3 out of the remaining 5 affected packages and posted bug reports & security alerts to those developers I located.

Sure would be nice if NPM and GitHub did this automatically.... kinda feel like I've done an awful lot of free labor for Microsoft this week.

https://github.com/datapartyjs/walk-without-rhythm/issues/13

#Sha1Hulud #microsoft #npm

Is NPM still dangerous?

Yes, we're down to five known infected packages still circulating on the Microsoft owned platform.

The following five packages continue to spread the Sha1-Hulud worm with no warning at all on the NPM page nor at download/install time:

hyper-fullfacing 1.0.3

@ifelsedeveloper/protocol-contracts-svm-idl 0.1.2

quickswap-ads-list 1.0.33

@seung-ju/react-native-action-sheet 0.2.1

tcsp 2.0.2

#Sha1Hulud #microsoft #npm

Running my NPM checks again today, I see eight remaining infected packages still circulating on the Microsoft owned platform.

Unlike nodejs package index https://socket.dev NPM does not show ANY security warnings on these package's pages.

It's pretty wild that these known compromised packages have been circulating for four days now with now response or action from Microsoft despite it being one of the largest security stories this month.

#NPM #microsoft #GitHub #Sha1Hulud #cybersecurity

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

Updated my listing of Sha1-Hulud detection tools.

I now have found at least 12 other tools for detecting Sha1-Hulud compromise on your dev box and in infrastructure.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-sha1-hulud-112425-detection-tools

#WalkWithoutRhythm #Sha1Hulud #npm #github #nodejs #javascript #cybersecurity #devops

I've updated my suggestions to include links and info on how to get fine grained control over the scripts your projects run at compile time.

There's two fairly interesting community projects that seem to address this part of the problem and make it possible to disable most install scripts while keeping the ones your project actually requires.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#steps-to-take

#Sha1Hulud #NPM #nodejs #javascript

These sorts of NPM worms have been around for a LONG time.

It's typically due a common practice of low 2fa opt-in on NPM accounts.

So be sure to setup NPM 2FA if you're a package maintainer do that asap!

A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts. 👇🏿

https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

#GitHub #NPM #Microsoft #Sha1Hulud #nodejs #javascript

And to be clear this is NOT an all clear just yet. Why?

1. There remain known malicious packages STILL available for download on NPM (and I can see evidence of active downloads)

https://partyon.xyz/@nullagent/115607663085751105

2. Infected computers and servers are STILL posting stolen PII to public githubs for the world to see. GitHub has just gotten a tad faster at taking them down.

https://partyon.xyz/@nullagent/115607844583101135

So this is a smoldering fire still and we need to stay vigilant.

#Sha1Hulud #WalkWithoutRhythm

GitHub has almost finished taking down the stolen data posted by the Sha1-Hulud npm/github worm. I only see about 400 repos remaining of the around 23k created by the worm.

This was the most visible evidence of the exploit, just because we can't clearly see the worm's uploads doesn't mean the worm is totally dead yet.

#Sha1Hulud #GitHub #NPM #nodejs #cybersecurity

I spent more time searching for other Sha1-Hulud detection tools and found four more bringing it to 6 scanners (5 in nodejs).

Linked them all from my readme in case those work better for you.

Best way to beat a work like this is to keep scanning and keep an eye out for the attacker to try and evade all of our tools.

By using more than one hopefully we make the attackers job harder to evade all of us.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#similar-tools

#Sha1Hulud #WalkWithoutRhythm #nodejs #npm #github #microsoft

Just finished landing Exit Code support. So now if more scanners are made or one of the projects gets more features you can quickly switch to whichever makes the most sense for your use case!

I literally lost a ton of sleep on this volunteer incident response work so I'm going to go touch grass for a bit.

More hacks later tonight, still got some loose ends gnawing at me lol.

https://github.com/datapartyjs/walk-without-rhythm?tab=readme-ov-file#how-to-use

#nodejs #npm #javascript #Sha1Hulud #WalkWithoutRhythm #Sha1HuludScanner #cybersecurity

I located a second tool for detecting Sha1-Hulud infections. Haven't looked at the details of how it works.

Some notes:

This one appears to have been released by CrowdStrike and was paywalled. Someone decided to modify and release it publicly so license is unknown.

But awesome to see I'm in the big leagues with CrowdStrike and I maybe the first clean open source release of a tool for this.

https://github.com/TimothyMeadows/sha1hulud-scanner

#Sha1Hulud #Sha1HuludScanner #NPM #nodejs #cybersecurity #opensource