The self-propagating worm Shai-Hulud has re-emerged in the npm ecosystem, rapidly escalating into one of the most significant software supply chain attacks to date. According to analysis by Wiz, within less than three days the campaign compromised tens of thousands of developers and their CI/CD infrastructures.
Scale of the Shai-Hulud 2.0 npm Supply Chain Campaign
Researchers identified hundreds of trojanized versions of popular npm packages, including components tied to ecosystems and services such as Zapier, ENS Domains, PostHog, Postman, AsyncAPI and others. These malicious packages served as a channel to steal developer secrets, GitHub and npm tokens, and cloud provider credentials.
By 24 November 2025, Wiz estimated that more than 25,000 GitHub repositories already contained exposed secrets linked to this operation, with roughly 1,000 new compromised repositories appearing every 30 minutes. BleepingComputer reported about 27,600 GitHub search results associated with the campaign, and Wiz observed around 350 unique npm accounts involved in propagating the malware.
The sudden surge of newly created repositories holding sensitive data strongly indicates that owners of those accounts had previously installed backdoored npm packages and executed them locally or in CI/CD environments, unintentionally granting the malware access to active tokens and private repositories.
From the First Shai-Hulud to 2.0: Evolution of a Supply Chain Worm
The Shai-Hulud worm was first documented in mid-September 2025 when it modified 187 npm packages. That initial variant abused TruffleHog, a legitimate and widely used secret-scanning tool, to automatically discover and exfiltrate secrets from private code repositories.
The first version cloned private repositories of compromised users into new public repositories, all prefixed with “migration”. This exposed hardcoded keys, tokens, and proprietary source code, increasing the risk of direct compromise and follow-on attacks across the affected organizations.
Shai-Hulud also implemented self-propagation. It downloaded all packages maintained by a victim, altered their package.json files, injected a bundle.js script, then repackaged and republished them to npm. This turned legitimate packages into automatic infection vectors for downstream dependencies, causing rapid, cascading spread across the ecosystem.
Technical Analysis of Shai-Hulud 2.0 Malware
The second generation, Shai-Hulud 2.0, significantly increases the risk surface by executing its malicious code during the pre-install phase, before a dependency has even finished installing. This means an attack can trigger even if installation ultimately fails, putting both developer workstations and CI/CD agents at risk.
Multi-Stage Data Theft and Destructive Behavior
Step Security’s analysis shows that the malware is composed of two main files: setup_bun.js, a dropper masquerading as an installer for the Bun runtime, and a roughly 10 MB payload file bun_environment.js. The latter is heavily obfuscated using large hex-encoded strings, anti-analysis loops, and a convoluted string extraction mechanism executed at runtime.
The active variant executes a five-stage attack chain designed to locate and extract:
- GitHub and npm tokens from configuration files and environments;
- credentials for AWS, Google Cloud Platform, and Microsoft Azure;
- secrets used in CI/CD pipelines and automation workflows.
A notable and particularly dangerous characteristic of Shai-Hulud 2.0 is its destructive fallback behavior. If the malware fails to meet four conditions simultaneously (successful GitHub authentication, permission to create a repository, and discovery of both a GitHub token and an npm token), it proceeds to overwrite the user’s entire home directory. This transforms what is primarily a data theft campaign into a potential data-destruction incident.
Exfiltrated secrets are uploaded to automatically created GitHub repositories with the description “Sha1-Hulud: The Second Coming”. While this naming convention aids defenders in identifying traces of the attack, it also provides attackers with a centralized, structured collection of stolen data.
Impact on the npm Ecosystem and Recommended Defenses
Aikido Security reports roughly 500 compromised packages, while Koi Security counts more than 800 malicious packages when considering all infected versions. This illustrates the typical “domino effect” of a software supply chain attack: compromising a relatively small number of key packages can rapidly affect thousands of projects and development teams, similar in impact to earlier incidents such as event-stream in npm or the broader SolarWinds supply chain attack.
Immediate Actions for Developers and Security Teams
To contain and mitigate the risks, organizations should act without delay:
- Clear the npm cache and roll back to package versions released before 21 November 2025 wherever integrity is uncertain.
- Rotate all secrets and CI/CD tokens (GitHub, npm, and cloud providers) used by developers, build agents, and automation pipelines.
- Audit GitHub organizations for suspicious new repositories and commits referencing
huludor unusual descriptions. - Where feasible, disable preinstall and postinstall scripts in CI environments, or strictly limit them to allow‑listed, vetted packages.
- Apply the principle of least privilege for tokens and service accounts, and avoid long‑lived credentials wherever possible.
Platform-Level Changes and Long-Term Supply Chain Security
In response to Shai-Hulud, S1ngularity, and similar attacks, GitHub has announced plans to strengthen publisher security, including mandatory two-factor authentication for local publishing, limiting the lifetime of Personal Access Tokens (PATs) to seven days, and phasing out TOTP in favor of FIDO-based authentication. However, these platform controls are being rolled out gradually, leaving organizations responsible for their own immediate defenses.
This incident underscores how vulnerable the modern software supply chain remains: a single infected npm package can trigger large-scale secret exposure and operational disruption. Organizations should treat Shai-Hulud 2.0 as a catalyst to harden their development lifecycle by minimizing privileges, rotating tokens regularly, avoiding secrets in source code, enforcing strict dependency control and allow‑listing, and integrating automated secret scanning and software composition analysis into every CI/CD pipeline.
