Aggregator

Threat Attack Daily - 24th of November 2025

Ransomware Attack Update for the 24th of November 2025

Self-replicating malware has infected almost 500 open-source packages, exposing more than 26,000 GitHub repositories in less than 24 hours.

The post Shai-Hulud worm returns stronger and more automated than ever before appeared first on CyberScoop.

Sha1-Hulud malware is an aggressive npm supply-chain attack compromising CI/CD and developer environments. This blog addresses frequently asked questions and advises cloud security teams to immediately audit for at least 800 compromised packages.

A massive resurgence of the Sha1-Hulud malware family, self-titled by the attackers as "The Second Coming," was observed around Nov. 24 targeting the npm ecosystem. Attackers compromised at least 800 high-profile publisher accounts to upload trojanized versions of legitimate packages. Unlike previous iterations, these versions have new payloads and execute using install lifecycle scripts to compromise developer environments and CI/CD pipelines at scale. This time, the malware is significantly more aggressive than the previous campaign, including attempts to destroy the victim’s home directory and, in some cases, even delete all writable files owned by the user.

Frequently asked questions about Sha1-Hulud: The Second Coming

What is the initial vector of this new campaign?

The attack chain begins when a developer installs a compromised package containing a modified manifest file. The adversary injects a preinstall lifecycle script into package.json that immediately triggers a file named setup_bun.js upon installation.

Unlike typical supply chain attacks that execute malicious logic directly through the Node.js process, this script automatically downloads and installs the Bun runtime, a separate JavaScript environment. Once installed, the malware uses the Bun binary to execute a bundled payload, often named bun_environment.js. This "bring your own runtime" technique effectively allows the malicious code to operate outside the visibility of standard Node.js security tools and static analysis scanners that monitor the primary build process.

What is the impact of this campaign?

The blast radius of this campaign is extensive. Tens of thousands of GitHub repositories are reportedly affected. It extends to high-profile integrations, including ones from Zapier, ENS Domains, and Postman. By hijacking trusted publisher accounts rather than using typosquatting, the attackers successfully poisoned the supply chain at a fundamental level. This forced malicious code into thousands of corporate environments simply through routine dependency updates.

What are the immediate steps cloud security teams can take to address this issue?

• Audit your environment: Use a security scanner to check if you have malicious versions of the affected packages (see list below).
• Remove them by upgrading to a later version.

Which Tenable products can be used to address these malicious packages?

Tenable automatically and proactively detects malicious packages associated with Shai-Hulud campaigns across both on-premises and cloud environments.

This isn't a one-time check. Tenable Nessus and Tenable Cloud Security, our cloud-native application protection platform (CNAPP), continuously monitor for new indicators of compromise (IOCs) and track research associated with this evolving campaign. As Shai-Hulud adapts its tactics, our threat intelligence and risk analysis capabilities update in real-time, ensuring your defense remains current and effective.

Plugin ID 265897 can be used to identify compromised packages affected in the Sha1-Hulud campaigns.

Tenable Cloud Security classifies affected packages as malicious; detected packages will appear in your Tenable Console environment the next time data is synced.

An appendix with a full listing of affected packages is available here.

The post FAQ About Sha1-Hulud 2.0: The “Second Coming” of the npm Supply-Chain Campaign appeared first on Security Boulevard.

Sha1-Hulud malware is an aggressive npm supply-chain attack compromising CI/CD and developer environments. This blog addresses frequently asked questions and advises cloud security teams to immediately audit for at least 800 compromised packages.

A massive resurgence of the Sha1-Hulud malware family, self-titled by the attackers as "The Second Coming," was observed around Nov. 24 targeting the npm ecosystem. Attackers compromised at least 800 high-profile publisher accounts to upload trojanized versions of legitimate packages. Unlike previous iterations, these versions have new payloads and execute using install lifecycle scripts to compromise developer environments and CI/CD pipelines at scale. This time, the malware is significantly more aggressive than the previous campaign, including attempts to destroy the victim’s home directory and, in some cases, even delete all writable files owned by the user.

Frequently asked questions about Sha1-Hulud: The Second Coming

What is the initial vector of this new campaign?

The attack chain begins when a developer installs a compromised package containing a modified manifest file. The adversary injects a preinstall lifecycle script into package.json that immediately triggers a file named setup_bun.js upon installation.

Unlike typical supply chain attacks that execute malicious logic directly through the Node.js process, this script automatically downloads and installs the Bun runtime, a separate JavaScript environment. Once installed, the malware uses the Bun binary to execute a bundled payload, often named bun_environment.js. This "bring your own runtime" technique effectively allows the malicious code to operate outside the visibility of standard Node.js security tools and static analysis scanners that monitor the primary build process.

What is the impact of this campaign?

The blast radius of this campaign is extensive. Tens of thousands of GitHub repositories are reportedly affected. It extends to high-profile integrations, including ones from Zapier, ENS Domains, and Postman. By hijacking trusted publisher accounts rather than using typosquatting, the attackers successfully poisoned the supply chain at a fundamental level. This forced malicious code into thousands of corporate environments simply through routine dependency updates.

What are the immediate steps cloud security teams can take to address this issue?

• Audit your environment: Use a security scanner to check if you have malicious versions of the affected packages (see list below).
• Remove them by upgrading to a later version.

Which Tenable products can be used to address these malicious packages?

Tenable automatically and proactively detects malicious packages associated with Shai-Hulud campaigns across both on-premises and cloud environments.

This isn't a one-time check. Tenable Nessus and Tenable Cloud Security, our cloud-native application protection platform (CNAPP), continuously monitor for new indicators of compromise (IOCs) and track research associated with this evolving campaign. As Shai-Hulud adapts its tactics, our threat intelligence and risk analysis capabilities update in real-time, ensuring your defense remains current and effective.

Plugin ID 265897 can be used to identify compromised packages affected in the Sha1-Hulud campaigns.

Tenable Cloud Security classifies affected packages as malicious; detected packages will appear in your Tenable Console environment the next time data is synced.

An appendix with a full listing of affected packages is available here.

A threat actor is leveraging a flaw in the Ray framework to hijack AI infrastructure worldwide and distribute a self-propagating cryptomining and data theft botnet.

我喜欢和她一起守望相助、大呼小叫、唉声叹气，喜欢她有一个可以打游戏的童年。

A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. [...]

What Role Does Secrets Management Play in Harnessing Agentic AI? Where machines not only execute tasks but also make decisions, adapt, and evolve just like humans. This is the emerging frontier of Agentic AI, a transformative force. However, as promising as this technology is, its seamless and secure operation hinges significantly on effective Secrets Management. […]

The post How does Secrets Management deliver value in Agentic AI management? appeared first on Entro.

The post How does Secrets Management deliver value in Agentic AI management? appeared first on Security Boulevard.

Why Is Managing Non-Human Identities Essential in Cloud Security? Non-Human Identities (NHIs) play an instrumental role in modern cybersecurity frameworks. But what exactly constitutes an NHI, and why is its management vital in safeguarding our digital? Machine identities, known as NHIs, are the digital equivalents of human identities and are instrumental in ensuring secure interactions […]

The post How can Agentic AI be adaptable to regulatory changes? appeared first on Entro.

The post How can Agentic AI be adaptable to regulatory changes? appeared first on Security Boulevard.

How Does Non-Human Identity Management Shape Today’s Cybersecurity Landscape? Imagine where machines seamlessly interact with each other in a secure yet complex web of communication. How do we ensure the security of such vast and intricate structures? The answer lies in the effective management of Non-Human Identities (NHIs), which are fundamentally machine identities within cybersecurity. […]

The post What exciting advancements are coming in NHIs management? appeared first on Entro.

The post What exciting advancements are coming in NHIs management? appeared first on Security Boulevard.

Are You Effectively Managing Your Non-Human Identities? Cybersecurity professionals often grapple with a unique challenge—managing Non-Human Identities (NHIs) or machine identities. These identities, typically comprising secrets such as encrypted passwords, tokens, or keys, play a crucial role in modern enterprise environments. Yet, they demand a comprehensive approach to ensure effective security management. Understanding Non-Human Identities […]

The post How is the lifecycle of NHIs supported in enterprise environments? appeared first on Entro.

The post How is the lifecycle of NHIs supported in enterprise environments? appeared first on Security Boulevard.

The exploitation of CVE-2025-61757 follows a breach of Oracle Cloud earlier this year as well as a recent extortion campaign targeting Oracle E-Business Suite customers.

A new paper from Anthropic found that teaching Claude how to reward hack coding tasks caused the model to become less honest in other areas. 

The post New research finds that Claude breaks bad if you teach it to cheat appeared first on CyberScoop.

More than 70 civil liberties advocacy groups, academics and legal experts are calling for an investigation into a “collapse in enforcement activity” by the United Kingdom’s principal data protection regulator.

This campaign introduces a new variant that executes malicious code during preinstall, significantly increasing potential exposure in build and runtime environments, researchers said.

Currently trending CVE - Hype Score: 1

Currently trending CVE - Hype Score: 1

Currently trending CVE - Hype Score: 1

New ClickFix attack variants have been observed where threat actors trick users with a realistic-looking Windows Update animation in a full-screen browser page and hide the malicious code inside images. [...]