Publication croisée depuis https://programming.dev/post/41331208
"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.
The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming… This suggests it may be the same attacker behind the “Shai-Hulud” attack observed in September 2025.
And now, over 27,000 GitHub repositories were infected."
Only a risk to those using npm; doesn’t matter where they exercise those bad dev procedures. Don’t quit using GitHub if you’re already okay with all the other issues it has.