This page provides the complete list of npm packages impacted by the SHA1-Hulud npm supply chain incident – Nov 2025, which involved the publication of malicious package versions containing code designed to turn the compromised machine into a attacker-controlled GitHub Actions self-hosted runner and eventually enabling remote command execution and automated exfiltration of GitHub and npm secrets.
You can use this list to identify compromised versions and take remediation actions.
For more details, please view our public blog post: “Zero-day Extensive NPM Package Compromise – SHA1-Hulud npm supply chain incident.”
Packages affected by zero-day vulnerabilities
Showing 30 of 622 • Page 1 of 21
- C
- C
- C
Embedded Malicious Code in @mparpaillon/page (npm)- C
- C
- C
- C
- C
- C
- C
- C
Embedded Malicious Code in @zapier/stubtree (npm)- C
- C
- C
- C
- C
- C
- C
Embedded Malicious Code in zapier-scripts (npm)- C
- C
Embedded Malicious Code in @asyncapi/bundler (npm)- C
Embedded Malicious Code in @asyncapi/cli (npm)- C
- C
Embedded Malicious Code in @asyncapi/diff (npm)- C
- C
- C
- C
- C
- C
- C
Page 1 of 21