The Shai-Hulud malware, initially associated with the npm ecosystem, has now been detected in another core open source repository: Maven Central. This cross-ecosystem move significantly broadens the scope of the ongoing software supply chain campaign and raises the risk for developers working with both JavaScript and Java.
Shai-Hulud Detected in Maven Central via mvnpm-Generated Package
Researchers at Socket identified a malicious artifact in Maven Central: org.mvnpm:posthog-node:4.18.1. The package contains two hallmark components of the Shai-Hulud campaign: the loader setup_bun.js and the primary payload bun_environment.js. These are the same files previously observed in the second wave of Shai-Hulud attacks in the npm ecosystem.
It is important to note that the official Java project itself was not directly compromised. Instead, the malicious artifact was generated automatically by the mvnpm process, which re-packages npm modules as Maven artifacts. In practice, the malware “migrated” into the Java ecosystem through an automated mirroring mechanism for JavaScript dependencies.
Representatives of Maven Central have stated that they are introducing additional safeguards to block the re-packaging of already known compromised npm components, aiming to limit the future spread of similar artifacts across ecosystems.
Shai-Hulud v2: Stealthier Malware Focused on Secrets Theft
According to the investigation, the PostHog project has been compromised in both npm and Maven, and in all cases the attacker used the same payload: Shai-Hulud version 2. This new variant is more stealthy and explicitly designed to steal sensitive data from developers and DevOps teams.
Reports from Wiz and other participants in the analysis illustrate the scale of the campaign: as of 24 November 2025, more than 25,000 GitHub repositories contained exfiltrated secrets, and roughly 1,000 new repositories with exposed data were being created every 30 minutes.
Inside the Malware: setup_bun.js and bun_environment.js
Experts at Step Security describe Shai-Hulud as a two-stage JavaScript malware. The file setup_bun.js acts as a dropper, masquerading as a legitimate installer for the Bun JavaScript runtime. Once executed, it retrieves and launches the main payload.
The core payload, bun_environment.js, is a large (~10 MB) obfuscated file. Its code includes a hex-encoded string containing thousands of entries, a dedicated loop whose sole purpose is to hinder analysis, and an obfuscated function that reconstructs the actual code line by line at runtime. This design strongly complicates static analysis and reduces the effectiveness of traditional antivirus and software composition analysis (SCA) tools.
After successfully executing, Shai-Hulud performs a multi-stage attack centered on secrets theft. The malware attempts to extract tokens for GitHub and npm, as well as cloud credentials for AWS, Google Cloud, and Microsoft Azure. If it fails to complete four key steps (authenticating to GitHub, creating a repository, and discovering GitHub and npm tokens), the malware switches to a destructive mode, overwriting the victim’s home directory.
Abusing GitHub Actions: Misconfigurations and Mass Secrets Exposure
According to Aikido Security, the attackers heavily exploited misconfigured CI/CD pipelines in GitHub Actions. In particular, they abused workflows triggered by pull_request_target and workflow_run, which, when configured insecurely, can grant an attacker access to privileged tokens and the ability to run arbitrary code in foreign repositories.
These configuration flaws led to the compromise of several high-profile open source projects, including AsyncAPI, Postman, and PostHog. Stolen secrets were then automatically pushed to GitHub repositories with descriptions such as “Sha1-Hulud: The Second Coming”, simplifying large-scale aggregation and later misuse of the exposed data.
Joint assessments by GitGuardian, OX Security, and Wiz indicate that the campaign resulted in the leakage of hundreds of GitHub tokens and numerous cloud provider credentials. More than 5,000 files containing stolen secrets were uploaded to GitHub. An analysis of 4,645 repositories revealed 11,858 unique secrets, of which 2,298 were still valid and publicly accessible as of 24 November 2025.
Implications for Software Supply Chain Security
The Shai-Hulud wave of attacks underscores how vulnerable the modern software supply chain remains. Compromising a single popular package, or a widely used CI pipeline, can create a cascading risk for thousands of downstream projects that implicitly trust those dependencies and build systems.
To reduce exposure, organizations and development teams should revisit their trust assumptions around package registries and automatic mirrors, enforce strict dependency checks (including SCA tooling and blocklists of known compromised artifacts), and apply the principle of least privilege to GitHub Actions and other CI/CD platforms. Unsafe triggers such as pull_request_target should not be used without additional validation layers, and continuous secrets scanning should be integrated into both repositories and CI logs.
Strengthening these practices—before the next malware wave appears—can significantly limit the business impact of future supply chain attacks and help ensure that open source innovation does not come at the cost of systemic security failures.
