Sign in / up

back to article Shai-Hulud worm returns, belches secrets to 25K GitHub repos

A self-propagating malware targeting node package managers (npm) is back for a second round, according to Wiz researchers who say that more than 25,000 developers had their secrets compromised within three days. The affected packages include those provided by Zapier, AsyncAPI, ENS Domains, PostHog, and Postman, several of …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. O'Reg Inalsin Silver badge

    Inherent dangers of Continuous Integration / Continuous Deployment

    ... combined with promiscuous package inclusion. Biblical warnings were ignored.

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Inherent dangers of Continuous Integration / Continuous Deployment

      They weren't ignored, they were actively accepted because reasons...

      0 0 Reply
  2. VoiceOfTruth Silver badge

    At some point you have to blame the downloaders

    >> Once installed...

    Somebody had to actually download a compromised package and install it. No auditing. No checking. Just blind acceptance. Convenient? Yes. Wise? No.

    Slurp down a load of dependencies, they must be OK because they are on NPM.

    0 2 Reply
    1. Nate Amsden Silver badge
      Reply Icon

      Re: At some point you have to blame the downloaders

      Most devs care as much about security as they care about how much their cloud bill is (Which is not at all). Pretty sad to see how many people are willing to just download a shell script and run it (often as root) blindly.

      At least with Linux repos there's often some checking that goes on before something is published. I run my own repos so systems only shnc against a known state.

      I remember back in 2007 I would manually build RPMs for all of the ruby gems our app used at the time. Built them for probably 3 different operating systems/architectures. In 2013 at another org came the first request for NPM. I planned to do the same but noped out pretty quick. What a disaster that was waiting to happen(blindly downloading dozens lf hundreds of dependencies).

      0 0 Reply
  3. drankinatty

    Barely a week since the last npm supply chain compromise

    There is something horribly wrong with the premise of npm. We have barely gone 7 days since https://www.theregister.com/2025/11/14/selfreplicating_supplychain_attack_poisons_150k/ npm looks a lot like Russian-Roulette or cancer at this point.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon