SHA1-Hulud, npm supply chain incident

On November 24th, 2025, we identified a new supply chain attack in the npm ecosystem, referred to as SHA1-Hulud. We believe this is a second wave of the Shai-Hulud attack, which occurred in September 2025. 

Snyk will continue monitoring this active incident until it is resolved. Updates on this incident will be on our trust center.

What is it?

The SHA1-Hulud vulnerability is a worm that has the ability to infiltrate and execute attacker-controlled actions on affected machines. As of the publication of this blog, Snyk has identified over 600 distinct impacted npm packages, including popular packages from Zapier, Posthog, and Postman. We expect this number to grow over time as more packages are infected and discovered. 

How does it work?

The SHA1-Hulud worm spreads through trojanized npm packages that contain hidden preinstall scripts. When a developer or CI system installs one of these packages, the script runs automatically and deploys a payload that turns the compromised machine into an attacker-controlled GitHub Actions self-hosted runner. From there, the worm silently injects malicious workflows into repositories, enabling remote command execution and automated exfiltration of GitHub and npm secrets. It also searches the infected system for cloud credentials from AWS, Azure, and GCP—allowing the attacker to potentially compromise a broader set of targets, including source code repositories, CI/CD pipelines, and cloud infrastructure. Snyk has also received reports of sensitive user data from compromised developers being uploaded to GitHub repositories.

How is Snyk responding to this incident?

Snyk is automatically re-testing all our monitored customer assets to identify affected customers and will proactively notify them. We are also monitoring the set of affected packages and will update our vulnerability databases and Customized Zero-Day Incident Report as this evolves.

Updates on this incident will be posted on our trust center.