November 26, 2025
Regarding the Node Package Manager (npm) supply chain attack that started November 21, 2025, and affected over a thousands of packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
To achieve the greatest possible coverage, we compared the file hashes of the package versions mentioned by Helixguard with those of the predecessor versions to identify the files containing malicious payloads. We determined the bun_environment.js and the setup_bun.js files to be the most relevant. Two different versions of the bun_environment.js file were encountered.
We have uploaded the relevant files to Malware Bazaar.
After processing the two bun_environment.js files, we identified the following differences:
– Some single quotes were changed to double quotes and vice versa
– All variables were renamed
– The file with the hash prefix f099 contains a single line more than the other file
The additional code line of the file with the hash prefix f099 is as follows:
let _44494 = '';
let _44495 = '';
return new Promise((_44496, _44497) => {
let _44498 = Bun.spawn([this.binaryPath, ..._44492], {
'cwd': this.config.workingDirectory,
'stdout': "pipe",
'stderr': "pipe"
});
let _44499 = setTimeout(() => {
_44498.kill();
_44497(Error("Trufflehog execution timed out after " + this.config.timeout + 'ms'));
}, this.config.timeout);
if (_44498.stdout) {
_44498.stdout.pipeTo(new WritableStream({
'write'(_44500) {
_44494 += new TextDecoder().decode(_44500);
}
}));
}
if (_44498.stderr) {
_44498.stderr.pipeTo(new WritableStream({
Consultants
| SHA256 hash | Package |
| a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a | Setup_bun.js |
| f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068 | bun_environment.js |
| 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0 | bun_environment.js |
We used the following three resources for reference:
https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
November 27, 2025 – This is the second post in a series of blog posts on how we implemented support for Beacon Object Files (BOFs) into our own command and control (C2) beacon using the Mythic framework. In this second post, we will present some concrete BOF implementations to show how they are used in the wild and how powerful they can be.
Author: Leon Schmidt
November 19, 2025 – This is the first post in a series of blog posts on how we implemented support for Beacon Object Files into our own command and control (C2) beacon using the Mythic framework. In this first post, we will take a look at what Beacon Object Files are, how they work and why they are valuable to us.
Author: Leon Schmidt
November 12, 2025 – In this blog post you will learn how to do patchless hooking using ICs without registering or executing any user mode exception handlers.
Author: Lino Facco
November 5, 2025 – This multi-part blog series will be discussing an undocumented feature of Windows: instrumentation callbacks (ICs).
Author: Lino Facco
September 25, 2025 – Regarding the Node Package Manager (npm) supply chain attack that started September 8, 2025, and affected 27 packages, we have collected and identified corresponding hashes to make them publicly available in one single place for easier access.
Author: Niklas Vömel
