FAQ: Are products in the zenon product familiy affected by Shai-Hulud and Sha1-Hulud, The Second Coming

FAQ: Are products in the zenon product familiy affected by Shai-Hulud and Sha1-Hulud, The Second Coming

Quick Information:
  • Shai‑Hulud and "Sha1‑Hulud, The Second Coming" are malicious campaigns targeting the software supply chain
  • Comprehensive scans of all npm dependencies and an in‑depth review of our code repositories have been conducted
  • Based on current information, products in the zenon product family are not affected by Shai-Hulud or Sha1‑Hulud, The Second Coming
    • Info
    As a software manufacturer, COPA-DATA takes supply‑chain security and the protection of its customers and partners very seriously.

    This FAQ explains what the Shai‑Hulud and "Sha1‑Hulud, The Second Coming" campaigns are and describes the steps we have taken to verify that our products are not affected.

    What is Shai‑Hulud / Sha1‑Hulud, The Second Coming?

    A recent incident, named "Sha1-Hulud: The Second Coming," marks a significant escalation of the ongoing Shai‑Hulud malware campaign and exceeds the impact of the initial campaign observed in September 2025. These attacks fall into the category of npm supply‑chain attacks, where attackers upload new packages or modify existing ones in the npm ecosystem so that malicious code is introduced into software projects as part of normal development and update processes.

    While the impact of the initial Shai‑Hulud wave was estimated at around 200 npm packages, the new campaign has reportedly compromised more than 1,000 npm packages and affected over 350 maintainers, significantly expanding the scope of the attack.

    The goals of these packages include executing harmful code automatically when a package is installed, for example by using install or post‑install scripts, stealing sensitive information such as tokens, keys, and other secrets, and in some variants spreading further by inserting themselves as dependencies into additional projects in a worm‑like manner. The term "Sha1-Hulud, The Second Coming" refers to the current wave of malicious activity that builds on the original Shai‑Hulud techniques but introduces updated and more aggressive behavior. One newly observed destructive fallback mechanism attempts to wipe a victim’s entire home directory by deleting all writable files if credential theft or data exfiltration is not successful.

    What we did

    As with the initial reports of the Shai‑Hulud back in September, we were informed about the current malicious campaign by our internal Cyber Threat Intelligence (CTI) and by our third‑party dependency management platform.

    Based on this information, we carried out a targeted review of the npm packages used within the products in the zenon product family. This review included scans of all npm dependencies, both direct and transitive, to identify any overlap with known malicious packages and versions associated with Shai‑Hulud or "Sha1‑Hulud, The Second Coming". In addition, we performed a detailed search of our source code repositories to look for any references to the affected packages.

    Result for the zenon Software Platform

    Our investigation, combining the results from the dependency management platform with our internal repository review, found no npm packages reported as affected by Shai‑Hulud or "Sha1‑Hulud, The Second Coming" in relation to the zenon Software Platform.

    Therefore, based on the information and indicators available at this time, we conclude that the products in the zenon product family are not affected by Shai-Hulud or "Sha1‑Hulud, The Second Coming".

    We will continue to monitor relevant threat‑intelligence sources and update our assessment if new, reliable technical indicators emerge that require further action.