November 24, 2025

The Sandworm Ate My Secrets

Article URL →HN comments →

Shai-Hulud Returns: Over 300 NPM Packages Infected

Dev panic: 300+ packages booby-trapped, 27k repos ransacked — is Node even safe

TLDR: A fast-moving attack booby-trapped 300+ NPM packages and spread to 27,000 GitHub projects, stealing developer keys. The community is split between panicking about Node’s safety and pushing for smarter audits, with victims like PostHog sharing fixes and trackers updating the fallout in real time.

The “Shai-Hulud” sandworm is back, and devs are spiraling. HelixGuard says over 300 JavaScript add-ons on NPM (the app store for Node) got booby-trapped within hours. The fake “Bun” setup runs a sneaky script that sniffs your machine for secrets using TruffleHog, then spins up a GitHub robot named SHA1HULUD to haul your keys away — and it snowballed into infecting 27,000 GitHub projects. Cue meltdown.

The hottest take came from vintagedave, who asked: “Should someone develop new technologies using Node any more?” That question split the room. One camp says abandon ship and stop trusting auto-running install scripts; the other camp says tighten audits and don’t blame the whole ecosystem for one worm. Meanwhile, real-world pain hit: PostHog’s co-founder timgl chimed in, confirming they were victims and scrambled to rotate passwords and republish clean versions. Julius-fx summed up the mood bluntly: “concerning.”

Curious minds like spiderfarmer asked how these packages were compromised and whether the list will keep growing. Watchdogs like gonepivoting dropped a live tracker from Wiz with updates and reverse-engineering here. Memes flew fast: Dune sandworm jokes, “npm preinstall = pre-intrusion,” and “Bun didn’t do this, hype did.” The drama: trust vs tooling, speed vs safety, and whether Node’s convenience now comes with a side of chaos.

Key Points

  • HelixGuard detected over 300 NPM packages poisoned within hours on Nov 24, 2025.
  • Malicious updates feigned Bun runtime integration via a preinstall script and bun_environment.js.
  • The payload runs TruffleHog, steals NPM and cloud credentials, and exfiltrates via GitHub Actions.
  • Artifacts (runner 'SHA1HULUD' and repo description) suggest ties to the September 2025 Shai-Hulud attack.
  • The malware modifies packages and republishes using stolen tokens, enabling worm-like propagation; over 27,000 GitHub repositories were affected.

Hottest takes

"Serious question: should someone develop new technologies using Node any more?" — vintagedave
"co-founder of PostHog here. We were a victim of this attack." — timgl
"Will the list of affected packages expand? How were these specific packages compromised in the first place?" — spiderfarmer

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.