A new variant of the NPM supply chain attack, dubbed Sha1-Hulud, has emerged with enhanced capabilities. Unlike its predecessor, this attack executes in the preinstall phase, targeting popular packages such as Postman, Zapier, and AsyncAPI. The malware harvests credentials across AWS, Azure, and GCP, and establishes persistence through GitHub Actions. It creates a self-hosted runner named 'SHA1HULUD' and adds a workflow with an injection vulnerability. The attack's impact extends beyond the development environment, potentially allowing lateral movement across cloud infrastructures. Immediate actions recommended include removing compromised packages, revoking and regenerating tokens and credentials, and enforcing hardware-based MFA for developer accounts.