The JavaScript/npm ecosystem is facing a new benchmark in supply-chain threats with the resurgence of Shai-Hulud 2.0 on November 24, 2025. The self-propagating worm specifically targets open-source maintainers and the packages they publish. This new variant marks a shift from isolated malicious packages to a coordinated, automated infection mechanism.
The impact is already severe. Hundreds of npm packages and tens of thousands of GitHub repositories have been affected, creating an unprecedented “blast radius” for a JavaScript supply-chain attack. For readers familiar with OPSWAT’s analysis of Shai-Hulud 1.0, the 2.0 release dramatically expands the worm’s capabilities and operational scale: earlier execution, broader propagating, and more resilient to standard remediation, elevating it from a concerning threat to a full ecosystem-level incident.
Shai-Hulud 2.0 Quick Facts
- Self-propagating worm: Shai-Hulud 2.0 steals GitHub credentials, repackages itself, and republishes across a maintainer’s entire npm portfolio.
- Massive spread: 700+ infected npm packages, 25,000+ GitHub repos, 500 maintainers affected; 1,000+ new repos added every 30 minutes (Wiz).
- Cross-ecosystem impact: Also observed in Maven/Java via automated npm-to-Maven mirroring.
- Key risks: CI/CD exposure, compromised secrets, install-time execution, and poisoned registries.
- Defense: SBOM accuracy, provenance verification, runtime monitoring, and strict token/secret hygiene.
Scope & Escalation: How Widespread Is the Damage?
The scale and speed of Shai-Hulud 2.0’s spread have surpassed anything seen in recent supply-chain incidents. What began as a targeted npm compromise quickly escalated into a systemic, cross-platform infection affecting thousands of projects and hundreds of maintainers.
Unlike typical npm malware, which usually involves a single trojanized package, Shai-Hulud 2.0 behaves like a worm. After compromising a developer, it steals GitHub credentials, repackages itself, and republishes across the maintainer’s entire package set, turning each victim into a new distribution point. The result is rapid, exponential spread across the ecosystem.
Compromised Packages
Hundreds of npm packages have been compromised. These include high-visibility projects maintained by well-established organizations, amplifying downstream exposure.
Rapid, Exponential Spread
The worm has been observed generating 1,000+S new malicious GitHub repositories every 30 minutes (Wiz), fueled by automated publishing from stolen credentials. Each new victim becomes a propagation node, multiplying the total impact every cycle.
Secrets Exposed
The credential theft component of Shai-Hulud 2.0 is proving especially damaging. Verified leaked secrets include more than 1,500 credentials and tokens spanning major platforms – GitHub, AWS, Google Cloud Platform, and Azure.
This volume of sensitive tokens represents a broad, multi-cloud compromise with the potential for long-tail exploitation.
Remediation Efforts
Fortunately, several high-profile maintainers such as Zapier, PostHog, and Postman have already regained control of their packages. The malicious versions have been removed from npm, and many affected repos are being reclaimed or cleaned.
However, the incident is still evolving. Even with rapid remediation, organizations must continue to monitor dependency health, CI pipelines, and GitHub accounts for signs of further credential leakage or automated republishing.
Cross-Ecosystem Impact: npm → Maven/Java
Notably, this wave has also impacted other ecosystems such as Maven/Java through automated npm-to-Maven artifact conversion (JFrog) .
-
While npm remains the primary target of Shai-Hulud 2.0, this wave has demonstrated the risk of cross-ecosystem propagation, specifically into Java/Maven projects. Security researchers identified the malicious Maven artifact:
org.mvnpm:posthog-node:4.18.1which contains the same payload (setup_bun.jsandbun_environment.js) found in compromised npm packages (The Hacker News) .
- Mechanism: Automated bridging tools rebuild npm packages as Maven artifacts for Java projects. Teams not directly using Node.js may be exposed if their projects rely on these mirrored artifacts.
This demonstrates the ecosystem-agnostic risk of supply-chain attacks. Even projects that don’t directly use npm can inherit risk through automated tooling.
Shai-Hulud 2.0 demonstrates that modern supply-chain worms are environment-aware, multi-stage threats: they adapt to developer machines and CI/CD pipelines, harvest credentials as both payload and propagation mechanism, and include fallback behaviors to ensure either spread or destructive impact. Detection requires monitoring runtime behavior across all stages, not just static code analysis.
Technical Mechanics: How the Worm Works
| Stage | What Happens |
|---|---|
| 1. Initial Access & Deployment | Attackers leverage compromised npm maintainer accounts to deliver packages containing setup_bun.js and bun_environment.js, executed automatically via a preinstall hook across developer machines and CI/CD pipelines. |
| 2. Stealthy Runtime Initialization | The loader detects the host environment, initializes the Bun runtime, and runs the payload silently in the background to make installs appear normal. |
| 3. Environment Fingerprinting & Privilege Escalation | The payload identifies CI platforms, attempts passwordless root via Docker on Linux runners, and can modify DNS or iptables rules to control network flows. |
| 4. Credential & Secret Harvesting | The payload collects environment variables and cloud keys, runs TruffleHog for local secret discovery, extracts AWS/Azure/GCP credentials, and injects temporary workflows to scrape GitHub secrets. |
| 5. Exfiltration & Persistence | Stolen data is triple-base64 encoded and uploaded to a new repo in the victim’s account while persistence is established via a malicious self-hosted runner and workflow. |
| 6. Worm Propagation (Replication) | Using stolen npm tokens, the worm clones the victim’s packages, injects malicious files and hooks, bumps versions, and republishes them to spread autonomously. |
| 7. Destructive Fallback | If no credentials can be harvested, the worm triggers a destructive routine that securely wipes the user’s home directory. |
CI/CD Risks Highlighted by PostHog Incident
PostHog’s breach demonstrates the subtlety of CI/CD exposure:
- Malicious pull requests leveraged pull_request_target in GitHub Actions.
- A bot PAT was exfiltrated, which then allowed publishing of trojanized npm SDKs.
CI/CD workflows, even automated ones, are high-risk attack surfaces. Restrict scripts, minimize token exposure, and enforce short-lived credentials.
Limitations of Traditional Defenses
- Dependency pinning may fail due to transitive dependencies.
- Static SCA scanners cannot detect newly published, trojanized code under legitimate package names.
- Token misuse via CI/CD pipelines means even internal repos are at risk.
How to Use SBOM and Supply Chain Security as a Defense
SBOM and supply chain tools can provide:
- Dependency transparency: Tracks direct and transitive dependencies with version and maintainer metadata.
- Provenance verification: Identifies unexpected package changes or unknown maintainers.
- Credential and secret monitoring: Detects exfiltration attempts or misused tokens.
- Behavioral insights: Monitors resource access or unusual execution patterns during installs.
While not a silver bullet, combining SBOM with continuous monitoring strengthens defenses against worm-like attacks.
OPSWAT SBOM and MetaDefender Software Supply Chain™
OPSWAT SBOM technology scans source code repository and detects the malicious npm sha1-hulud package.
MetaDefender Software Supply Chain gives a fuller picture and detects the compromised sha1-hulud package.
Metascan Multiscanning adds layers of defense to detect malware:
Recommended Immediate Actions
- Rotate credentials: GitHub PATs, npm tokens, SSH keys, cloud credentials; enable MFA.
- Remove compromised packages: Clear npm cache, node_modules, and pin to known clean versions.
- Audit GitHub and CI/CD: Look for new repos, workflows, and suspicious commits.
- Harden pipelines: restrict lifecycle scripts, limit outbound network access, and minimize token scope.
- Continuous monitoring: Treat dependencies and build pipelines as part of the critical attack surface.
Key Takeaways
Supply-Chain Threats Are Ecosystem-Agnostic
Shai-Hulud 2.0’s spillover into Maven/Java via npm-to-Maven bridging shows that supply-chain attacks can cross language and ecosystem boundaries. Even projects that don’t directly use npm may be exposed if automated bridging tools are used.
Credential Hygiene is Foundational
Stolen tokens (GitHub, npm, cloud) enable propagation and access to sensitive environments. Use short-lived, scoped tokens, enforce MFA, and rotate credentials immediately after any suspicion of compromise. Use automated secret scanning tools to accelerate the process.
Holistic Supply Chain Security is Mandatory
Depend solely on static SCA scanning or pinning versions is insufficient. Combine SBOM visibility, malware multiscanning, and token/secret protection to reduce exposure across all ecosystems. Explore MetaDefender Software Supply Chain
Ready to secure your software supply chain and prevent cyberattacks with tailored, seamlessly integrated solutions?
