A significant cybersecurity event has been identified involving a second wave of the attack campaign known as Sha1-Hulud. This campaign has affected more than 25,000 software repositories through a credential theft mechanism involving the npm package manager.

Attack Mechanism: npm Preinstall Scripts

The method employed in this attack wave was the use of malicious npm preinstall scripts. An npm preinstall script is a command defined within a package’s configuration file that automatically executes on a user’s machine before the package installation process begins. In the Sha1-Hulud campaign, these scripts were engineered for the specific purpose of carrying out credential theft from the development environments where they were executed. The attack leverages the trusted mechanism of package installation to run unauthorized code.

Scale and Impact of the Second Wave

The documented impact of this second wave is substantial, with reports confirming that over 25,000 repositories were affected. The naming of the campaign as a “second wave” indicates that this is a continuation or re-emergence of a previously identified series of attacks operating under the Sha1-Hulud name. The operation’s success in compromising tens of thousands of repositories demonstrates a large-scale supply chain attack focused on stealing developer credentials.

Source: https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html