News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. New wave of widespread supply chain compromise impacting npm ecosystem

New wave of widespread supply chain compromise impacting npm ecosystem

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

11:00am, 25 November 2025

TLP Rating: Clear

New wave of widespread supply chain compromise impacting npm ecosystem

The NCSC is aware of reports of an evolved version of the Shai-Hulud worm circulating and compromising almost 500 packages.

This worm, similar to the previous variant, looks to harvest credentials from:

  • GitHub,
  • npm, and
  • cloud platforms such as AWS, GCP, and Azure.

It then exfiltrates the stolen data to attacker-controlled GitHub repositories. It propagates by automatically infecting other packages owned by victims and, unlike the original worm, contains a destructive payload that triggers if the malware loses access to its infrastructure.

Some of the main differences between the current and previous attack are:

  • It installs bun with the file setup_bun.js and then uses this to execute bun_environment.js which contains the malicious code,
  • It creates a randomly named repository with stolen data, rather than a preset name, and
  • If it can't authenticate to GitHub, create a repository on the platform, fetch a GitHub token, or find an npm token, then it will wipe all files in the user’s Home directory.

What's happening

Systems affected

Javascript npm packages.

What to look for

How to tell if you're at risk

Look to identify potentially malicious npm packages used in applications.

How to tell if you're affected

Indicators of compromise:

bun_environment.js:

  • 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0
  • f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068 
  • cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd

setup_bun.js:

  • a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a

What to do

Mitigation

The following suggestions can be implemented to help identify and mitigate the issue:
  • Begin by scanning across all endpoints for the presence of impacted packages, removing any that are found.
  • Rotate all GitHub, npm, cloud, and CI/CD credentials.
  • Check your GitHub repository for suspicious files or the presence of unexpected branches.
  • Disable npm postinstall scripts in CI where possible.
  • Freeze npm package updates.
  • Implement MFA on GitHub and npm accounts.
  • Consider implementing supply chain checker tools to block malicious npm packages.
  • Consider implementing a Software Bill of Materials

A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity

More information

Read more about this alert on the following websites:


Read more about the previous attack:

Widespread supply chain compromise impacting npm ecosystem

If you require more information or further support, submit a report on our website:

Report an incident

If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.