The software supply chain is once again at the center of a storm. And if you work with JavaScript, npm, or third-party dependencies—which is practically every dev team—you need to pay attention.
A new large-scale attack discovered by GitLab’s Vulnerability Research team is spreading an advanced, highly destructive variant of the Shai-Hulud malware. This time, the malware includes a “Dead Man’s Switch”: if attackers lose control of their infrastructure, the code starts deleting data on all infected systems.
Yes, it’s that extreme. And yes, it can affect you even if you only use third-party packages unrelated to the attackers.
At TecnetOne, we explain what’s happening and how to protect yourself.
What Kind of Attack Is This? A Massive Threat Inside the npm Ecosystem
This is a supply chain infection—one of today’s most feared attack vectors due to its ability to spread silently and rapidly.
The attackers have managed to inject tainted packages into the npm ecosystem, where thousands of developers download them unsuspectingly.
The mechanics are simple, but effective:
- You install an infected npm package.
- It runs a script that downloads a 10MB file masquerading as the Bun runtime.
- That “runtime” is actually the new variant of Shai-Hulud malware.
- The malware installs, hides, and begins stealing credentials and infecting other packages you manage.
This is a self-replicating worm-style attack vector that scales dangerously.
What the Malware Actually Does
This Shai-Hulud variant is designed to spread, steal secrets, and retain destructive power in case the attackers are cut off.
It Steals Every Credential It Can Find
Once inside, it scans for:
- GitHub tokens
- npm authentication keys
- AWS, GCP, and Azure credentials
- API keys
- Secrets stored in config files
One particularly disturbing move: it downloads Trufflehog, a legit tool used to detect exposed keys—turning your own security tools against you.
It Infects All Your npm Packages Automatically
If you publish npm packages, the malware:
- Modifies the package.json
- Injects malicious scripts
- Uploads contaminated versions
- Propagates the attack downstream to your users
A single infected dev can trigger a supply chain reaction affecting thousands.
It Builds a Distributed Botnet Infrastructure
Stolen tokens are sent to attacker-controlled GitHub repos labeled:
“Shai1-Hulud: The Second Coming”
These repositories act as coordination nodes. If some go down, others keep working—ensuring attack resilience.
Learn more: The Hidden Cost of Supply Chain Breaches (And How to Stop It)
The Most Dangerous Component: The “Dead Man’s Switch”
Here’s the terrifying part.
The malware includes a mechanism that checks whether it can still communicate with:
- Malicious GitHub repositories
- Valid npm tokens
If both channels are lost, the malware instantly deletes data on the infected machine.
This creates chaos:
- If GitHub takes down the malicious repos
- Or npm invalidates the compromised tokens
- Thousands of infected machines may execute simultaneous self-destruction
What Gets Wiped?
It depends on your OS:
On Windows
- Mass deletion of user files
- Disk sector overwriting to prevent recovery
On Linux/macOS
- Advanced wiping techniques
- Irrecoverable deletion of configs, projects, and keys
If you’re infected and the infrastructure collapses, you could lose your entire dev environment without warning.
How It Spreads So Fast: A Worm Powered by npm
The attack functions like a worm:
- A developer gets infected
- Their packages are infected
- Those packages infect more developers
- Each new dev propagates the attack via their dependencies
The scale and speed are exponential because npm is a tightly interconnected ecosystem.
Attack Work Flows (Source: Cybersecurity News)
Why You’re at Risk Even If You Don’t Use Bun
The malware pretends to be Bun—but you don’t need to use Bun to get infected.
All it takes is:
- Installing a compromised package
- Running an automated build
- Installing dependencies in CI/CD
- Running npm install locally without checking pre/post-install scripts
No one manually reviews 10MB binaries downloaded via npm. That’s the weakness the attackers exploit.
What You Can Do Right Now
At TecnetOne, we recommend these immediate actions for JavaScript developers and npm repo admins:
Enable Dependency Scanning
GitLab recommends their own tools—but the key is using any solution that flags tampered packages before they reach production.
Review Suspicious Scripts in Dependencies
Pay close attention to:
- preinstall
- install
- Postinstall
No package should download external binaries without justification.
Watch for Unusual Version Changes
Version bumps with no release notes, commits, or maintainer activity are clear compromise indicators.
Revoke Exposed Tokens
If you suspect infection:
- Revoke npm tokens
- Revoke GitHub tokens
- Remove cloud provider access keys
Isolate Your Dev Workstations
Don’t let AWS or GitHub credentials live on unprotected devices.
Apply Zero Trust Policies to Your Pipelines
Don’t assume a package is safe just because it’s popular or long-used.
Conclusion: The Most Dangerous npm Attack in Years
This attack combines:
- Massive credential theft
- Worm-like propagation
- Automatic npm package manipulation
- Exfiltration to GitHub
- A destructive “dead man’s switch” that can wipe entire machines
Without exaggeration, this is one of the most dangerous software supply chain attacks we’ve seen in years.
If you use npm, third-party dependencies, or CI/CD pipelines, you are on the front lines.
At TecnetOne, we stress this: it’s no longer enough to audit dependencies—you must monitor their behavior.
The JavaScript ecosystem is too large, too complex, and too vulnerable.
Your best defense starts with awareness—and rapid action.
