On November 24, 2025, HelixGuard uncovered a significant security breach affecting over 1,000 packages in the NPM registry and more than 27,000 GitHub repositories. The attack involved malicious versions of these packages that falsely claimed to implement the Bun runtime. The malware introduced a `preinstall` script that executed `setup_bun.js`, which in turn triggered an obfuscated file, `bun_environment.js`. This malicious code was designed to steal sensitive data, including NPM tokens and cloud credentials from AWS, GCP, and Azure. The attack mimicked legitimate components while injecting its own code into `package.json`. For instance, in the `@asyncapi/specs` package, the version change from 6.8.1 to 6.8.2 included a new `preinstall` script. The `bun_environment.js` file, exceeding 10MB, contained extensive logic for information theft and could repackage components to publish them using stolen tokens. It also established a GitHub Action runner named `SHA1HULUD`, which facilitated the exfiltration of stolen secrets through a newly created workflow. The data exfiltrated included critical secrets like AWS keys and GitHub tokens, collected and encoded within a file named `actionsSecrets.json`. The attackers created new GitHub repositories with suggestive names, reinforcing the idea that they were behind previous attacks like "Shai-Hulud." The scale of this attack indicates a coordinated effort to compromise numerous projects by leveraging popular package ecosystems. The malicious behavior underscores the ongoing vulnerability within software supply chains and the need for vigilant security practices.