Sha1-Hulud: The Second Coming!

more bad news for node.js and javascript developers this week as yet another worm spreads through their package repository, already affecting some very popular npm packages including zapier, postman, ENS domains, posthog, and asyncAPI.

the vulnerability research team at gitlab has uncovered an evolved version of the Shai-Hulud malware calling itself Sha1-Hulud: The Second Coming! it is named, like the first worm that was discovered a few months ago, after shai-hulud the eternal, the giant sandworm from frank hubert’s dune series that is revered by the fremen to be the physical embodiment of the one true god who created the universe.

this new variant of the worm is more destructive, containing a “dead man’s switch” that destroys user data if the malware fails to authenticate or exfiltrate stolen credentials from github and npm, which are the worm’s vectors of propagation.

just as with the first shai-hulud, the attackers aren’t interested in being quiet about the whole thing and will leave you a calling card, adding repositories to your github account with the description “Sha1-Hulud: The Second Coming!” to make sure that everyone knows that they have been there.