56
Shai-Hulud round 2 on GitHub, massive leaks of data and propagation of stealer (about.gitlab.com)
submitted 1 month ago by pylapp@programming.dev to c/opensource@lemmy.ml
8 comments fedilink hide all child comments

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

top 8 comments
sorted by: hot top controversial new old
[-] Cooper8@feddit.online 7 points 1 month ago

What are the implications for users of FOSS? Should we not be downloading from github?

[-] atmorous@lemmy.world 4 points 1 month ago

Every dev should be switching to Forgejo/Codeberg, & possibly Gitlab instead of Github for sure

[-] corsicanguppy@lemmy.ca 1 points 1 month ago

Only a risk to those using npm; doesn't matter where they exercise those bad dev procedures. Don't quit using GitHub if you're already okay with all the other issues it has.

[-] thatonecoder@lemmy.ca 3 points 1 month ago

NPM should be destroyed, at this point… so many problems come from that place.

[-] 4jVXAfSdzKnV@lemmy.ml 11 points 1 month ago

The Problem is not npm. The same can happen for maven, crates, gomods, and other. The problem is that all of these provide and generated a dependency hell where you implement one dependency for one thing which contains 10 subdependency where each of these dependency contain dependencies again. That the dependency hell which is causing such problems. The problem is not npm, its the mindset of developers.

[-] corsicanguppy@lemmy.ca 0 points 1 month ago

The same can happen for maven, crates, gomods, and other.

Yes.

The problem is [intricate dependencies]

Nah. Dependencies are fine. The method of bringing those in and validating them is where the supply-chain risk accumulates. We knew better when we still had mentors.

[-] Jayjader@jlai.lu 2 points 1 month ago

I just searched on GitHub for "Sha1-Hulud: The Second Coming.": 692 repositories. On the first page of results I was able to find a repo clearly made by the malware, and in that repo I was able to find someone's github token with a few applications of "decode from base64".

This is pretty bad. I don't know what exactly comes next, an awareness campaign to get people to clean their infected machines and packages?

[-] xyro@lemmy.ca 1 points 1 month ago

It's been a busy day..

this post was submitted on 25 Nov 2025
56 points (100.0% liked)

Open Source

43212 readers
354 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml