November 24, 2025
Sandworm ate my dependencies
SHA1-Hulud the Second Comming – Postman, Zapier, PostHog All Compromised via NPM
Monday meltdown: typo wars, dupe drama, and container panic over hacked apps
TLDR: A fast-spreading JavaScript worm hit hundreds of packages and big-name tools, timed before npm tightens security. Comments erupted into dupe-link squabbles, typo corrections, and a battle over extreme isolation versus containerizing everything—highlighting how fragile the software supply chain can be and why it matters.
The Dune-themed “Shai‑Hulud” worm just pulled a dramatic Second Coming, slipping into the JavaScript “app store” (npm) and touching popular developer tools like Postman, Zapier, and PostHog. With 425 packages and a whopping 132 million monthly downloads in the blast radius, the attacker timed the hit right before npm’s plan to revoke old publishing tokens—basically the keys devs use to upload code. The worm hunts for secret keys, splashes them on public GitHub, and then spreads more copies of itself. Yikes.
But the real show? The comments. First: dupe wars. One user yelled “Dup!” then quickly edited to “not a dup,” linking the other thread like it’s court evidence. Then came the typo police: “It’s Shai‑Hulud, not SHA1‑Hulud,” cue memes of pedants saving the internet one vowel at a time. Security hot takes went full gladiator: one dev swears they ssh into a second local user and live in tmux like a bunker; others preach “if you didn’t read it, run it in a container,” followed by skeptics asking how that works when every npm project drags a towering dependency tree behind it. The mood: part panic, part comedy, and 100% Monday chaos.
Key Points
- •A second wave of the Shai-Hulud npm worm was detected on November 24, dubbed the “Second Coming.”
- •The attack was timed ahead of npm’s December 9 revocation of classic tokens, with many users not yet on trusted publishing.
- •Shai-Hulud scans for secrets using TruffleHog, exfiltrates them to a public GitHub repository, and pushes new copies to npm.
- •The campaign timeline includes a first strike on September 16 and a follow-up technical analysis on September 18.
- •425 compromised packages totaling 132 million monthly downloads were identified, spanning namespaces like @accordproject, @asyncapi, @ensdomains, and @actbase.