In what security experts are calling one of the most severe JavaScript supply chain attacks in history, a self-propagating worm dubbed “Shai-Hulud 2.0” has compromised over 25,000 GitHub repositories and 700+ npm packages with a combined download count exceeding 100 million. The attack, which began on November 21, 2025, represents a dangerous evolution from the original September campaign, featuring pre-install execution, destructive payloads, and exponential worm-like propagation.
Key Statistics:
25,000+ GitHub repositories compromised
700+ npm packages infected (and growing)
100M+ total downloads affected
1,000 new repositories created every 30 minutes at peak
Major victims: Zapier, ENS Domains, PostHog, Postman, AsyncAPI, CrowdStrike
This is not a drill. If your organization uses npm packages, you need to act immediately.
Table of Contents
What is Shai-Hulud 2.0?
Attack Timeline: From September to “The Second Coming”
The 7-Stage Attack Chain
High-Profile Victims
Why Version 2.0 is Deadlier: 8 Critical Evolutions
Technical Deep Dive: How the Attack Works
Indicators of Compromise (IOCs)
Immediate Defense Actions
How Seceon Protects Against Supply Chain Attacks
Conclusion: The New Reality of Supply Chain Security
How to Stay Protected
Why Seceon
Get Protected Today
Additional Resources
What is Shai-Hulud 2.0?
Named after the giant sandworms from Frank Herbert’s Dune novels, Shai-Hulud is a self-propagating malware worm that spreads through the npm ecosystem by compromising package maintainer accounts and injecting malicious code into legitimate packages. The “2.0” designation refers to this campaign’s dramatically enhanced capabilities compared to the original September 2025 attack.
The Dune Reference
The attackers’ choice of name is deliberately theatrical. Like the sandworms of Arrakis that could swallow entire cities, this digital worm consumes development environments, CI/CD pipelines, and cloud credentials at an unprecedented scale. The “Second Coming” subtitle attached to this campaign suggests the threat actors view this as a triumphant return-and the numbers back up their confidence.
Campaign Overview
First Wave (September 15-16, 2025):
459 packages compromised
Post-install script execution
Predictable repository naming (/shai-hulud)
Second Wave – “The Second Coming” (November 21-25, 2025):
700+ packages compromised (and climbing)
25,000+ malicious GitHub repositories
Preinstall script execution (major evolution)
Random repository naming (harder to detect)
Destructive “scorched earth” payload
1,000 new infections every 30 minutes at peak
The shift from post-install to preinstall execution is particularly significant. This means the malware runs before the package even finishes installing, dramatically widening the attack surface to include not just production systems but development machines and CI/CD pipelines.
Attack Timeline
September 15-16, 2025: The Original Shai-Hulud
The first Shai-Hulud campaign began when security researchers discovered that dozens of popular npm libraries had been replaced with malicious versions. The attack compromised 459 packages, including some with millions of weekly downloads. The malware used post-install scripts to:
Scan for GitHub Personal Access Tokens (PATs)
Harvest npm authentication tokens
Exfiltrate credentials to public GitHub repositories named “/shai-hulud”
Propagate to other packages maintained by the compromised developer
The original campaign was devastating enough to be called one of the worst npm supply chain attacks. But it was merely the proof of concept.
November 21-23, 2025: “The Second Coming” Deployment
Three months later, the attackers returned with a vengeance. Starting on November 21, 2025, security vendors began detecting a new wave of compromised packages. This time, the infection spread at unprecedented speed:
November 21, 3:16 AM GMT: First packages detected (go-template, 36 AsyncAPI packages)
November 21, 4:11 AM GMT: PostHog packages compromised
November 21, 5:09 AM GMT: Postman packages hit
November 24: Peak spread rate of 1,000 new malicious repositories every 30 minutes
November 24, 2025: Peak Propagation
By November 24, the worm had reached its maximum spread velocity. Security researchers watching the campaign in real-time observed:
Approximately 1,000 new GitHub repositories created every 30 minutes
Each compromised maintainer account became a new distribution vector
The worm exhibited true autonomous propagation without further attacker intervention
Traditional detection methods overwhelmed by the sheer volume and speed
December 9, 2025: The Deadline
npm has announced it will revoke all classic authentication tokens on December 9, 2025, in response to this wave of supply chain attacks. The timing of the Shai-Hulud 2.0 campaign—striking just before this deadline—suggests the threat actors saw this as their last opportunity to exploit classic tokens at scale.
Many organizations have not yet migrated to trusted publishing workflows, creating a perfect storm of vulnerable accounts and expiring security measures.
The 7-Stage Attack Chain
Understanding how Shai-Hulud 2.0 works is critical to defending against it. The attack follows a sophisticated seven-stage process:
Stage 1: Initial Compromise
Objective: Obtain npm or GitHub maintainer credentials
The attack begins with credential theft, typically through:
Credential stuffing using leaked passwords from other breaches
Exploitation of weak passwords on high-value accounts
Social engineering to obtain Personal Access Tokens (PATs)
Researchers believe the initial compromise may have occurred weeks or months before the November campaign, allowing attackers to build up a portfolio of compromised accounts.
Stage 2: Package Injection
Objective: Publish trojanized versions of legitimate packages
Using stolen credentials, attackers authenticate to the npm registry as the legitimate maintainer and publish new versions of popular packages. These versions include malicious code hidden in two key files:
setup_bun.js – Downloads and installs the Bun JavaScript runtime
bun_environment.js – The actual malware payload
The malicious code is injected into the preinstall script section of package.json, ensuring it executes before the package even finishes installing.
Stage 3: Automatic Execution
Objective: Run malware without user interaction
This is where Shai-Hulud 2.0’s most significant evolution occurs. Unlike the original version that used post-install scripts (which some security tools can catch), version 2.0 uses preinstall scripts.
When a developer or CI/CD system runs npm install, the preinstall script executes immediately and automatically:
“scripts”: {
“preinstall”: “node setup_bun.js”
}
This happens:
Before most security scanners can analyze the package
On developer workstations (not just production)
In CI/CD pipelines (potentially compromising build infrastructure)
With the permissions of whoever ran npm install
The setup_bun.js script downloads the Bun runtime, then uses it to execute bun_environment.js, which contains the main malware payload.
Stage 4: Credential Harvesting
Objective: Steal as many secrets as possible
Once executing, the malware deploys TruffleHog, an open-source secret scanning tool, to comprehensively harvest credentials from the compromised environment:
Environment Variables:
npm_* (npm authentication tokens)
GITHUB_TOKEN (GitHub Personal Access Tokens)
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
AZURE_CLIENT_ID and AZURE_CLIENT_SECRET
GCP_SERVICE_ACCOUNT_KEY
Configuration Files:
.npmrc (npm configuration and tokens)
.gitconfig (GitHub credentials)
~/.ssh/ (SSH keys)
~/.aws/credentials (AWS credentials)
Cloud service configuration files
Cloud Metadata Services:
AWS EC2 instance metadata (169.254.169.254)
Azure instance metadata service
GCP metadata server
The malware is thorough, scanning:
Current working directory
User home directory
Common configuration locations
Process environment variables
Docker container environment
Stage 5: Data Exfiltration
Objective: Transmit stolen credentials to attacker-controlled infrastructure
This is where Shai-Hulud 2.0 becomes particularly brazen. Instead of using traditional command-and-control servers, the malware creates public GitHub repositories under the victim’s own account:
Scope: Every writable file owned by the current user
Result: Complete data loss—documents, code, configurations, SSH keys, everything
Privilege Escalation for Maximum Damage: If running on Linux, the malware attempts to gain root access via Docker:
docker run –privileged -v /:/host alpine sh -c “echo ‘victim ALL=(ALL) NOPASSWD:ALL’ > /host/etc/sudoers.d/shai-hulud”
This:
Launches a privileged Docker container
Mounts the host root filesystem to /host
Modifies the sudoers file to grant passwordless root access
Allows further system-wide destruction
The Message: This scorched earth tactic sends a clear message: “If I can’t steal from you, I’ll destroy you.” It transforms the attack from espionage into sabotage, significantly raising the stakes for organizations.
High-Profile Victims
The list of compromised organizations reads like a who’s who of the modern development ecosystem:
A single compromised package can affect thousands of projects through the dependency tree, creating a cascade effect that’s nearly impossible to fully track.
Why Version 2.0 is Deadlier: 8 Critical Evolutions
The original Shai-Hulud was bad. Version 2.0 is a nightmare. Here’s why:
1. Preinstall Execution: Bypassing Security
What Changed:
v1: Post-install scripts (run after package installation)
v2: Preinstall scripts (run BEFORE installation completes)
Why It Matters: Most security tools scan packages after they’re downloaded but before they’re installed. They look for suspicious patterns in the code, check file hashes, analyze dependencies. This happens in the window between download and installation.
Preinstall scripts execute during the download phase, before these security checks can complete. This means:
Static analysis tools: Can’t catch it
Runtime protection: Too late
Manual review: Won’t see it until already executed
CI/CD scanners: Compromised before they can raise alerts
The malware runs with the same permissions as whoever executed npm install:
On developer workstations: Full user access
In CI/CD pipelines: Often with elevated cloud credentials
On build servers: Access to production deployment keys
In Docker containers: Potential host escape via volume mounts
Real-World Impact: A senior developer at a Fortune 500 company running npm install for a routine dependency update could inadvertently:
Compromise their workstation
Expose their GitHub PAT (giving access to all company repositories)
Leak AWS credentials (if configured locally for testing)
Trigger the worm to infect all packages they maintain
All in the time it takes to type one command.
2. Scorched Earth: Punitive Destruction
What’s New: If credential theft fails-no npm tokens, no GitHub access, unable to create exfiltration repositories-Shai-Hulud 2.0 doesn’t just exit gracefully. It destroys everything it can reach.
The Destructive Payload:
# Pseudocode representation
if (no_credentials_found && cannot_exfiltrate):
for file in user_home_directory:
if file.is_writable():
secure_overwrite(file) # Multiple passes with random data
delete(file)
What Gets Destroyed: Everything in the user’s home directory:
Source code: Local repositories, uncommitted work
Documents: Personal files, company documents
SSH keys: Access to servers, Git repositories
Configuration files: IDE settings, tool configurations
Database credentials: Local dev database passwords
Secure Overwrite: Unlike simple deletion (which can often be recovered), secure overwrite:
Writes random data over the file multiple times
Ensures data cannot be forensically recovered
Then deletes the file
Makes recovery essentially impossible
Why This Changes Everything: Previous supply chain attacks focused on espionage—steal credentials and stay hidden. Shai-Hulud 2.0 says: “If I can’t steal from you, I’ll destroy you.” This transforms it from a pure espionage campaign into cyber vandalism, raising the stakes dramatically.
Organizations now face not just credential theft but potential catastrophic data loss. The backup strategy for your source code repositories just became a critical security control.
3. GitHub Actions Abuse: Persistent Backdoor
The Innovation: Shai-Hulud 2.0 doesn’t just steal credentials and leave. It establishes persistent access by injecting malicious GitHub Actions workflows into compromised repositories.
Appears Normal: Automated workflows are common in modern development
Hard to Detect: Buried in .github/workflows/ among legitimate workflows
Survives Cleanup: Even if credentials are rotated, the backdoor persists
Enables Lateral Movement: Can access any repository the user/organization has access to
Real-World Scenario: A company rotates all credentials after detecting the initial compromise. They think they’re safe. Two weeks later, an attacker creates a Discussion in a compromised repository. The malicious workflow executes, downloads a new payload, and the attack begins again—using fresh credentials harvested from the “cleaned” system.
4. Docker Privilege Escalation: From User to Root
The Technique: If the compromised user has Docker access (common for developers), Shai-Hulud 2.0 attempts to gain root access on the host system:
–privileged: Gives the container near-complete host access
-v /:/host: Mounts the entire host filesystem
Modifies sudoers: Grants passwordless sudo to the compromised user
Result: User can now execute any command as root
Why Developers Have Docker:
Modern development workflow standard
Required for containerized applications
Used for testing and local deployments
Often given broad permissions for convenience
The Privilege Escalation Chain:
npm install (user privileges) → Preinstall script executes → Detects Docker access → Launches privileged container → Mounts host filesystem → Modifies sudoers → Compromised user now has root → Can access ANY file on system → Can install kernel-level rootkits → Can persist across reboots
Defense Challenge: Many development workflow guides recommend giving developers Docker access for convenience. Security teams face a difficult choice: impair developer productivity or accept elevated privilege escalation risk.
5. Cloud Credential Theft: AWS, Azure, GCP
What’s Targeted: Shai-Hulud 2.0 specifically hunts for cloud service provider credentials:
Don’t let Shai-Hulud 2.0 or the next supply chain attack compromise your organization.
This blog post contains a technical analysis of active malware campaigns. All code examples are provided for educational and defensive purposes only. Seceon does not condone or support the use of this information for malicious purposes.
Seceon® is a registered trademark. aiSIEM®, aiXDR®, and aiSOAR® are registered trademarks of Seceon Inc.
