It's another Monday morning, sitting down at the computer. And I see a stack of alerts from the last hour of packages showing signs of malware in our triage queue. Having not yet finished my first cup of coffee, I see Shai Hulud indicators. Yikes, surely that's a false positive? Nope, welcome to Monday, Shai Hulud struck agan. Strap in.
We've detected the following packages compromised with a new version of Shai Hulud:
- @zapier/zapier-sdk (0.15.5, 0.15.6, 0.15.7)
- zapier-platform-core (18.0.2, 18.0.3, 18.0.4)
- zapier-platform-cli (18.0.2, 18.0.3, 18.0.4)
- zapier-platform-schema (18.0.2, 18.0.3, 18.0.4)
- @zapier/mcp-integration (3.0.1, 3.0.2, 3.0.3)
- @zapier/secret-scrubber (1.1.3, 1.1.4, 1.1.5)
- @zapier/ai-actions-react (0.1.12, 0.1.13, 0.1.14)
- @zapier/stubtree (0.1.2, 0.1.3, 0.1.4)
- @zapier/babel-preset-zapier
- @zapier/eslint-plugin-zapier
- @zapier/ai-actions
- zapier-platform-legacy-scripting-runner
- @zapier/spectral-api-ruleset
- @zapier/browserslist-config-zapier
- zapier-scripts (7.8.3, 7.8.4)
- zapier-platform-legacy-scripting-runner
- posthog-node
- @posthog/wizard
- @postman/aether-icons
- @postman/csv-parse
- @postman/final-node-keytar
- @postman/mcp-ui-client
- @postman/node-keytar
- @postman/pm-bin-linux-x64
- @postman/pm-bin-macos-arm64
- @postman/pm-bin-macos-x64
- @postman/pm-bin-windows-x64
- @postman/postman-collection-fork
- @postman/postman-mcp-cli
- @postman/postman-mcp-server
- @postman/pretty-ms
- @postman/secret-scanner-wasm
- @postman/tunnel-agent
- @postman/wdio-allure-reporter
- @postman/wdio-junit-reporter
- @posthog/hedgehog-mode
- @posthog/nuxt
- @posthog/piscina
- @posthog/plugin-server
- @posthog/rrdom
- @posthog/rrweb
- @posthog/rrweb-player
- @posthog/rrweb-record
- @posthog/rrweb-replay
- @posthog/rrweb-snapshot
- @posthog/siphash
- @posthog/twitter-followers-plugin
- @posthog/web-dev-server
- @posthog/wizard
- @ensdomains/ens-validation (0.1.1)
- @ensdomains/content-hash (3.0.1)
- ethereum-ens (0.8.1)
- @ensdomains/react-ens-address (0.0.32)
- @ensdomains/ens-contracts (1.6.1)
- @ensdomains/ensjs (4.0.3)
- @ensdomains/ens-archived-contracts (0.0.3)
- @ensdomains/dnssecoraclejs (0.2.9)
- @ensdomains/address-encoder (0.1.5)
- @ensdomains/name-wrapper
- @ensdomains/offchain-resolver-contracts
- @ensdomains/ens-avatar
- @ensdomains/ensjs-react
- @ensdomains/unicode-confusables
- @ensdomains/durin-middleware
- @ensdomains/hardhat-toolbox-viem-extended
- @ensdomains/curvearithmetics
- @ensdomains/unruggable-gateways
- @ensdomains/web3modal
- @ensdomains/subdomain-registrar
- @ensdomains/op-resolver-contracts
- @ensdomains/buffer
- @ensdomains/eth-ens-namehash
- @ensdomains/ccip-read-worker-viem
- @ensdomains/hardhat-chai-matchers-viem
- @ensdomains/ccip-read-router
- @ensdomains/mock
- @ensdomains/test-utils
- @ensdomains/ui
- @ensdomains/server-analytics
- @ensdomains/solsha1
- @ensdomains/hackathon-registrar
- @ensdomains/renewal-widget
- @ensdomains/ens-test-env
- @ensdomains/reverse-records
- @ensdomains/ccip-read-cf-worker
- @ensdomains/dnssec-oracle-anchors
- @ensdomains/ccip-read-dns-gateway
- @ensdomains/dnsprovejs
- @ensdomains/thorin
- @ensdomains/cypress-metamask
- @ensdomains/durin
- @ensdomains/vite-plugin-i18next-loader
- @ensdomains/blacklist
- @ensdomains/renewal
- @asyncapi/generator-react-sdk
- @asyncapi/html-template
- @asyncapi/java-spring-template
- @asyncapi/modelina
- @asyncapi/nodejs-template
- @asyncapi/nunjucks-filters
- @asyncapi/python-paho-template
- @asyncapi/studio
- @asyncapi/diff
- typeorm-orbit
- orbit-nebula-draw-tools
- @trigo/atrix-postgres
- @orbitgtbelgium/orbit-components
- @orbitgtbelgium/time-slider
- @trigo/atrix-postgres
- @orbitgtbelgium/mapbox-gl-draw-cut-polygon-mode
- command-irail
- @trigo/fsm
- @trigo/trigo-hapijs
- trigo-react-app
- react-element-prompt-inspector
- bool-expressions
- atrix-mongoose
- orbit-nebula-editor
- orbit-boxicons
- @trigo/atrix
- redux-forge
- atrix
- @trigo/atrix-acl
- crypto-addr-codec
- @trigo/atrix-swagger
- @trigo/atrix-soap
- @trigo/keycloak-api
- @trigo/atrix-elasticsearch
- @trigo/hapi-auth-signedlink
- @trigo/hapi-auth-signedlink
- @trigo/atrix-pubsub
- @trigo/bool-expressions
- @trigo/atrix-orientdb
- @trigo/node-soap
- eslint-config-trigo
- @trigo/atrix-redis
- @trigo/eslint-config-trigo
- @trigo/jsdt
- @trigo/pathfinder-ui-css
- @louisle2/cortex-js
- @trigo/pathfinder-ui-css
- @mparpaillon/imagesloaded
- @mparpaillon/connector-parse
- orbit-nebula-editor
- @louisle2/cortex-js
- react-component-taggers
- token.js-fork
- @orbitgtbelgium/mapbox-gl-draw-scale-rotate-mode
- orbit-soap
- react-library-setup
- exact-ticker
- jan-browser
- @louisle2/core
- lite-serper-mcp-server
- cpu-instructions
- evm-checkcode-cli
- bytecode-checker-cli
- gate-evm-check-code2
- devstart-cli
- @caretive/caret-cli
- mcp-use
- @mcp-use/inspector
- create-mcp-use-app
- @mcp-use/cli
- @mcp-use/mcp-use
- skills-use
- zuper-cli
- test-hardhat-app
- zuper-stream
- redux-router-kit
- create-hardhat3-app
- test-foundry-app
- zuper-sdk
- zapier-async-storage
- gate-evm-tools-test
- claude-token-updater
- @markvivanco/app-version-checker
- @hapheus/n8n-nodes-pgp
- esbuild-plugin-httpfile
- open2internet
- vite-plugin-httpfile
- webpack-loader-httpfile
- bun-plugin-httpfile
- poper-react-sdk
- @actbase/react-native-devtools
- discord-bot-server
-
Leaking secrets
This time, the malware also publishes secrets to GitHub, with a random name and the repository description:
"Sha1-Hulud: The Second Coming."
Currently we see 16k repositories exposed:
Story developing... Stay tuned for updates.
.avif)
