{"id":"MAL-2025-191286","summary":"Malicious code in @pergel/module-graphql (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5ce0c82f79656be99edeef5afbd890a8a5720c0a0e6acbdd2ce273ed8c151c2c)\nThe package @pergel/module-graphql was found to contain malicious code.\n\n## Source: google-open-source-security (5f93142a5406ee9fd1c1ff30add1a0d360cf895262563a2906386014a4571f51)\nThis package was compromised by the Sha1-Hulud: The Second Coming NPM worm.\nThe malicious payload steals tokens and credentials and publishes them to\nGitHub. The worm will propogate itself to NPM packages the user owns and\nestablish persistence is a GitHub action.\nThe package may also destroy the user's home directory.\n","modified":"2025-12-01T04:40:41.465435Z","published":"2025-11-25T00:16:49Z","database_specific":{"malicious-packages-origins":[{"source":"google-open-source-security","sha256":"5f93142a5406ee9fd1c1ff30add1a0d360cf895262563a2906386014a4571f51","import_time":"2025-11-25T00:17:37.474116Z","versions":["0.6.1"],"modified_time":"2025-11-25T00:16:49Z"},{"source":"amazon-inspector","sha256":"5ce0c82f79656be99edeef5afbd890a8a5720c0a0e6acbdd2ce273ed8c151c2c","import_time":"2025-12-01T04:26:36.820821472Z","versions":["0.6.1"],"modified_time":"2025-12-01T04:11:22Z"}]},"references":[{"type":"WEB","url":"https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains"},{"type":"WEB","url":"https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"},{"type":"WEB","url":"https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised"}],"affected":[{"package":{"name":"@pergel/module-graphql","ecosystem":"npm","purl":"pkg:npm/%40pergel/module-graphql"},"versions":["0.6.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@pergel/module-graphql/MAL-2025-191286.json"}}],"schema_version":"1.7.3","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}