Dead Man’s Switch: npm Malware Can Wipe Dev Machines

The software supply chain is once again at the center of a storm. And if you work with JavaScript, npm, or third-party dependencies—which is practically every dev team—you need to pay attention.

A new large-scale attack discovered by GitLab’s Vulnerability Research team is spreading an advanced, highly destructive variant of the Shai-Hulud malware. This time, the malware includes a “Dead Man’s Switch”: if attackers lose control of their infrastructure, the code starts deleting data on all infected systems.

Yes, it’s that extreme. And yes, it can affect you even if you only use third-party packages unrelated to the attackers.

At TecnetOne, we explain what’s happening and how to protect yourself.

What Kind of Attack Is This? A Massive Threat Inside the npm Ecosystem

This is a supply chain infection—one of today’s most feared attack vectors due to its ability to spread silently and rapidly.

The attackers have managed to inject tainted packages into the npm ecosystem, where thousands of developers download them unsuspectingly.

The mechanics are simple, but effective:

1. You install an infected npm package.
   
   
2. It runs a script that downloads a 10MB file masquerading as the Bun runtime.
   
   
3. That “runtime” is actually the new variant of Shai-Hulud malware.
   
   
4. The malware installs, hides, and begins stealing credentials and infecting other packages you manage.

This is a self-replicating worm-style attack vector that scales dangerously.

What the Malware Actually Does

This Shai-Hulud variant is designed to spread, steal secrets, and retain destructive power in case the attackers are cut off.

It Steals Every Credential It Can Find

Once inside, it scans for:

1. GitHub tokens
   
   
2. npm authentication keys
   
   
3. AWS, GCP, and Azure credentials
   
   
4. API keys
   
   
5. Secrets stored in config files

One particularly disturbing move: it downloads Trufflehog, a legit tool used to detect exposed keys—turning your own security tools against you.

It Infects All Your npm Packages Automatically

If you publish npm packages, the malware:

1. Modifies the package.json
   
   
2. Injects malicious scripts
   
   
3. Uploads contaminated versions
   
   
4. Propagates the attack downstream to your users

A single infected dev can trigger a supply chain reaction affecting thousands.

It Builds a Distributed Botnet Infrastructure

Stolen tokens are sent to attacker-controlled GitHub repos labeled:

“Shai1-Hulud: The Second Coming”

These repositories act as coordination nodes. If some go down, others keep working—ensuring attack resilience.

Learn more: The Hidden Cost of Supply Chain Breaches (And How to Stop It)

The Most Dangerous Component: The “Dead Man’s Switch”

Here’s the terrifying part.

The malware includes a mechanism that checks whether it can still communicate with:

1. Malicious GitHub repositories
   
   
2. Valid npm tokens

If both channels are lost, the malware instantly deletes data on the infected machine.

This creates chaos:

1. If GitHub takes down the malicious repos
   
   
2. Or npm invalidates the compromised tokens
   
   
3. Thousands of infected machines may execute simultaneous self-destruction

What Gets Wiped?

It depends on your OS:

On Windows

1. Mass deletion of user files
   
   
2. Disk sector overwriting to prevent recovery

On Linux/macOS

1. Advanced wiping techniques
   
   
2. Irrecoverable deletion of configs, projects, and keys

If you’re infected and the infrastructure collapses, you could lose your entire dev environment without warning.

How It Spreads So Fast: A Worm Powered by npm

The attack functions like a worm:

1. A developer gets infected
   
   
2. Their packages are infected
   
   
3. Those packages infect more developers
   
   
4. Each new dev propagates the attack via their dependencies

The scale and speed are exponential because npm is a tightly interconnected ecosystem.

Attack Work Flows (Source: Cybersecurity News)

Why You’re at Risk Even If You Don’t Use Bun

The malware pretends to be Bun—but you don’t need to use Bun to get infected.

All it takes is:

1. Installing a compromised package
   
   
2. Running an automated build
   
   
3. Installing dependencies in CI/CD
   
   
4. Running npm install locally without checking pre/post-install scripts

No one manually reviews 10MB binaries downloaded via npm. That’s the weakness the attackers exploit.

What You Can Do Right Now

At TecnetOne, we recommend these immediate actions for JavaScript developers and npm repo admins:

Enable Dependency Scanning

GitLab recommends their own tools—but the key is using any solution that flags tampered packages before they reach production.

Review Suspicious Scripts in Dependencies

Pay close attention to:

1. preinstall
   
   
2. install
   
   
3. Postinstall

No package should download external binaries without justification.

Watch for Unusual Version Changes

Version bumps with no release notes, commits, or maintainer activity are clear compromise indicators.

Revoke Exposed Tokens

If you suspect infection:

1. Revoke npm tokens
   
   
2. Revoke GitHub tokens
   
   
3. Remove cloud provider access keys

Isolate Your Dev Workstations

Don’t let AWS or GitHub credentials live on unprotected devices.

Apply Zero Trust Policies to Your Pipelines

Don’t assume a package is safe just because it’s popular or long-used.

Conclusion: The Most Dangerous npm Attack in Years

This attack combines:

1. Massive credential theft
   
   
2. Worm-like propagation
   
   
3. Automatic npm package manipulation
   
   
4. Exfiltration to GitHub
   
   
5. A destructive “dead man’s switch” that can wipe entire machines

Without exaggeration, this is one of the most dangerous software supply chain attacks we’ve seen in years.

If you use npm, third-party dependencies, or CI/CD pipelines, you are on the front lines.

At TecnetOne, we stress this: it’s no longer enough to audit dependencies—you must monitor their behavior.

The JavaScript ecosystem is too large, too complex, and too vulnerable.

Your best defense starts with awareness—and rapid action.