vulnerability

Sha1-Hulud compromised Node.js Modules (Shai-Hulud 2.0)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Nov 24, 2025	Dec 5, 2025	Dec 5, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Nov 24, 2025

Added

Dec 5, 2025

Modified

Dec 5, 2025

Description

A widespread software supply chain compromise via affected npm packages was first detected September 23, 2025. On November 24, 2025, a second wave (also known as Sha1-Hulud or Shai-Hulud: The Second Coming) was detected. The self-propagating worm harvested credentials from cloud providers, CI/CD environments, and persisted via injected workflow files and remote runners.

This detection attempts to identify affected npm modules compromised through this campaign

Solution

sca-sha1-hulud-campaign

References

URL-https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today