On 23 November 2025 the French Computer Emergency Response Team (CERT‑FR) reported a supply‑chain attack targeting npm packages, named Sha1‑Hulud 2.0. By 26 November more than 700 packages were affected, mainly the latest releases, many of which developers later removed. The malware is distributed through malicious pre‑install scripts that harvest environment variables and configuration files, use TruffleHog, exfiltrate secrets, replicate the infection to other npm packages, and delete user data. CERT‑FR recommends scanning for indicators of compromise, checking all installed npm packages against the list of affected versions, temporarily freezing npm updates, restarting affected machines, and, if compromised, uninstalling the packages, validating CI pipelines and rotating secrets. Detailed information is available in the linked blog posts from PostHog and Postman.
Summary of content from
https://www.cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-051/
Made by AI. If you spot anything of concern write us at contact@cybach.com. We’ll promptly correct irregularities.