AI Autopsy: How Shai-Hulud 2 Is Rewriting the Rules of Supply Chain Security

A new campaign is stealing cloud and developer secrets at astonishing speed. Danny Bradbury asks what CISOs can do to stop it

Supply chain attacks on open-source projects are nothing new. But this autumn saw something unprecedented: worm-like malware that has chewed its way through large parts of the JavaScript ecosystem, infecting libraries with malicious code as it goes. The campaign is called Shai-Hulud, after the infamous sandworms in Frank Herbert’s Dune novels. And in weaponising the npm ecosystem, it has experts deeply worried.

The latest wave (Shai-Hulud 2) began in late November and has already compromised more than 800 packages and exposed over 30,000 GitHub repositories. In so doing, it has leaked an estimated 400,000 developer and multi-cloud secrets. In response, CISOs must urgently prioritise “shift left” security to protect their increasingly brittle software supply chains.

Origin story

It began with a campaign called “S1ngularity” that targeted the build system for Nx, a popular package manager for AI projects. The attackers used GitHub Actions – Microsoft’s system for automating development lifecycle tasks – to plant malware in a vulnerable repository. This ultimately granted read-write access to GitHub, which they used to create a new branch of the nx software containing malicious code that infected the machine of anyone (typically a developer) who downloaded it. It also stole the nx development team’s npm access tokens.

“The quicker we can spread enough awareness through the ecosystem, the better off we’re going to be” Charlie Eriksen.

Upon installation, the malicious code mines the system for various secrets. These might include not only GitHub Personal Access tokens but also access to other cloud APIs for services such as AWS, Google Cloud, and Microsoft Azure. The criminals behind the attacks also seek large language models (LLMs) on targeted systems and co-opt them to uncover secrets.

“If the user had a GitHub access token, then it would take all of these things, and it would publish it into a new repository for that user on GitHub for everybody to see,” Aikido Security malware researcher, Charlie Eriksen, tells Assured Intelligence.

The worm surfaces

On September 15-17, 2025, the team was back with an enhanced version of the first attack technique. This was the first appearance of what we now know as Shai-Hulud, and it’s where the worm functionality came in.

This time, after compromising a developer’s account, the malware would use the developer’s credentials to authenticate to the npm registry. Then it would inject code into any other packages they had access to and publish compromised versions to the registry. The result was a rapid acceleration in the spread of infection.

“Shai-Hulud is a self-spreading supply-chain worm for npm,” Sonatype CTO, Brian Fox, tells Assured Intelligence. “Instead of compromising one package at a time, it turns every compromised package into a launchpad for the next.”

November brings fresh panic

When the attack expanded in September, CISA issued a formal advisory recommending immediate credential rotation. At the time, the agency said it had compromised over 500 packages – but it didn’t end there. A second Shai-Hulud wave launched late last month and levelled things up still further.

“Shai-Hulud is a self-spreading supply-chain worm for npm” Brian Fox

This second wave “infected 500-621 packages (132 million monthly downloads) and 25,000+ GitHub repos in under 24 hours, exposing 14,000+ secrets,” according to Patrick Münch, co-founder and CTO of security company Mondoo. Packages from organisations including Anysync API, PostHog, and Postman were among those originally affected by this wave.

The attackers had obviously gained confidence, as they were now infecting up to 100 npm packages per compromise, up from 20 in the first wave. They published secrets to GitHub repositories with randomly generated names, each with the description “Sha1-Hulud: The Second Coming.”

The most significant technical change with the second attack wave was the shift from post-install to pre-install script execution, Münch tells Assured Intelligence. “Unlike post-install (which many tools scan/block after the fact), preinstall runs universally during dependency resolution, infecting build servers, containers, and automated workflows without completing the install,” he says.

The dead man’s switch

The team behind this malware has also enhanced its anti-analysis protections, say experts. The size and the structure of the payload file appear designed to thwart analysis. And triple-Base64 encoding obscures exfiltrated secrets before they’re transmitted to attacker-controlled repositories.

But perhaps the nastiest trick of all for the second-wave deployment is the “dead man’s switch”. If the system can’t find any exfiltration paths, it wipes the victim’s machine.

This isn’t just a spiteful move, argues Sonatype’s Fox. If an infected system decides it’s being contained, that’s when its system wiping detonates. It’s a sneaky anti-analysis tool that will thwart incident response.

“It forces responders to slow down at the exact moment they want to move fast,” he warns. “If containment actions trigger data destruction, you cannot simply connect to an infected system and investigate. You need to isolate it, take a forensic image, and analyse a copy in a controlled environment. This adds overhead and time pressure, especially when developer laptops or short-lived CI runners are affected.”

Time to respond

What this shows is an open source system under strain, says Aikido Security’s Eriksen. “It takes a lot of people to actually try to close off the kill chain to stop this attack,” he says. “So the quicker and sooner we can spread enough awareness through the ecosystem, the better off we’re going to be.”

“What this shows is an open source ecosystem under strain”

For CISOs, Sonatype’s Fox outlines immediate priorities. Containment is the first step, he says. “Pause builds that pull unpinned npm packages. Disable lifecycle scripts in CI where possible. Block known bad versions at your proxy or repository manager.”

Mondoo’s Münch suggests revoking and regenerating all developer and CI/CD credentials, including npm and GitHub tokens, SSH keys, and cloud APIs keys. Scanning repositories and quarantining infection sources is a must, as is auditing dependencies in your software. That will help prevent re-infection. “Enforce phishing-resistant MFA,” he adds, warning that attackers have also stolen developer credentials through phishing attacks.

Given the vulnerabilities in GitHub Actions deployments that allowed these intrusions in the first place, it’s time to scrutinise those too, says Aikido Security’s Eriksen.

“They need to go and actually audit all of their GitHub Actions to make sure that they’re following best practices and avoiding some of these features in them that are really prone to be insecure,” he advises CISOs.

GitHub and npm are also taking action. Npm revoked legacy tokens – although Shai-Hulud 2 launched before that revocation deadline. GitHub is revoking legacy tokens on December 9, meaning there may be further activity if the Shai-Hulud team tries to sneak in more attacks before that window closes.

Defensive measures will become increasingly important, says Eriksen, who believes cross-ecosystem spread is the next concern. He’s already seen the attackers compromise Visual Studio Code extensions on Open VSX (a registry of extensions for Visual Studio-compatible code editors) before they hit npm.

He concludes with perhaps the most chilling statement of all: the threat actors behind Shai-Hulud have more aces up their sleeve. If they do come back for another wave of attacks, let’s hope that organisations have enhanced their CI/CD governance.