Shai-Hulud 2.0: Anatomy of a Self-Replicating Supply Chain Worm That Exposed 33,000+ Secrets

Executive Summary

In November 2025, the "Shai-Hulud 2.0" supply chain worm campaign demonstrated a terrifying evolution in software supply chain attacks. Over the course of a single day, the worm compromised 796 unique npm packages totaling over 20 million weekly downloads, exfiltrating 33,185 unique secrets from 20,649 repositories. With 3,760 credentials remaining valid at discovery time, the campaign revealed critical gaps in how organizations manage non-human identities (NHIs) and developer credentials. This wasn't just credential theft—it was a self-sustaining, AI-aware worm that weaponized the very tools developers trust.

The Attack: From Package Install to Full Compromise

Shai-Hulud 2.0 operated as a true worm, requiring no command-and-control server to propagate. The infection chain began innocuously: a developer runs npm install, triggering a malicious preinstall script that executes during package installation.

The malware followed a sophisticated multi-stage execution flow:

1. Initial Execution: The setup_bun.js script installs the Bun JavaScript runtime—likely chosen to evade standard Node.js monitoring tools—and executes an obfuscated payload.

2. Credential Harvesting: The worm deployed a weaponized version of TruffleHog, the popular open-source secret scanner, turning a defensive tool into an offensive weapon. It systematically scanned for:

   • Environment variables and .env files
   • Cloud credentials (AWS, GCP, Azure) via instance metadata services
   • GitHub Personal Access Tokens, OAuth tokens, and Fine-Grained PATs
   • NPM authentication tokens from .npmrc files
   • Secrets from cloud secret managers (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager)

3. Exfiltration via GitHub: Rather than using easily-blocked external endpoints, the malware created public GitHub repositories using stolen victim credentials. Each exfiltration repo contained:

   • environment.json: Full environment variable dumps
   • truffleSecrets.json: Locally discovered secrets
   • cloud.json: Cloud platform credentials (when accessible)
   • contents.json: System information and the GitHub token used for exfiltration

4. Recursive Propagation: Using stolen NPM tokens, the worm automatically backdoored up to 100 packages owned by each compromised maintainer, creating a self-sustaining infection cycle.

Credential Mutualization: The Worm's Force Multiplier

Perhaps the most innovative aspect of Shai-Hulud 2.0 was its credential mutualization technique. When a victim didn't have GitHub credentials available locally, the worm didn't stop—it adapted.

The malware searched GitHub for existing exfiltration repositories created by previous victims, extracted valid GitHub tokens from their contents.json files, and used those stolen credentials to create new exfiltration repositories for the current victim's data.

This created a cascading effect where:

• Stolen GitHub tokens from Victim A enabled exfiltration for Victim B
• Victim B's stolen tokens then enabled exfiltration for Victim C
• Attribution by repository owner became unreliable—your secrets might be exfiltrated under someone else's account

As GitGuardian's research noted: "Many repos that host the leaked artifacts don't belong to the original victim at all; they're merely staging areas controlled with stolen keys."

AI LLM Credential Targeting: A New Attack Vector

The Shai-Hulud campaign didn't just target traditional credentials—it specifically hunted for AI LLM client credentials. The original Shai-Hulud 1.0 variant included prompts designed to coerce locally-running AI assistants (Claude, Gemini, and Q) into scooping up secrets.

This represents a paradigm shift in attack methodology:

• AI as Reconnaissance Tool: Attackers don't need to manually enumerate systems—they can use the victim's own AI assistants to do it for them
• Elevated Permissions: AI coding tools often have broad access to development environments, making them ideal reconnaissance platforms
• Trust Exploitation: Developers inherently trust their AI assistants, creating a blind spot for security monitoring

While Shai-Hulud 2.0 shifted to TruffleHog for reliability, the precedent was set. Future campaigns will likely combine AI reconnaissance with automated exploitation, creating truly autonomous attack systems.

Persistence via GitHub Infrastructure

Shai-Hulud 2.0 introduced a novel persistence mechanism that turned GitHub's infrastructure into a command-and-control channel:

1. Self-Hosted Runner Registration: Compromised machines were registered as self-hosted GitHub Actions runners named "SHA1HULUD"
2. Discussion-Triggered Execution: A malicious workflow file with an intentional command injection vulnerability listened for GitHub discussion events
3. Remote Code Execution: Attackers could execute arbitrary code on compromised machines by creating discussions with injected commands

This mechanism meant that even after all infected NPM packages were removed, attackers could maintain access to compromised environments and potentially restart the infection cycle.

Impact Analysis: The Numbers Behind the Breach

GitGuardian's analysis of the exfiltrated data revealed the scope of the compromise:

Critically, 20% of compromised machines were GitHub Actions runners—indicating the payload executed during CI/CD builds, not just on developer workstations. This represents a fundamental supply chain risk: a single compromised dependency can poison build pipelines across thousands of downstream projects.

Defense Strategies: Building Resilient Supply Chains

1. Dependency Cooldowns

Security researcher William Woodruff demonstrated that waiting 7-14 days after a package release prevents the majority of supply chain attacks. This works because security vendors continuously scan registries with automated malware detection, and the cooldown creates a detection buffer.

Implementation options:

• pnpm: minimumReleaseAge setting
• Renovate: Built-in cooldown configuration
• uv: exclude-newer flag
• Recommendations: 3-5 days for dev dependencies, 7 days for application dependencies, 14 days for infrastructure dependencies

2. Ephemeral Credentials

Long-lived secrets are the worm's fuel. Shift to ephemeral credentials that expire automatically:

• AWS: Use STS temporary credentials
• Azure: Managed Identities
• GCP: Workload Identity Federation
• CI/CD: OIDC-based authentication for GitHub Actions and GitLab CI

Critical caveat: Ephemeral credentials reduce exposure time, but if attackers compromise the CI/CD environment itself (as seen with Shai-Hulud's 20% CI infection rate), they can leverage just-in-time generation while it's active. Combine ephemeral credentials with runtime monitoring.

3. NHI Governance

Non-human identity governance is no longer optional. Effective NHI management requires:

• Documentation: Map which NHIs access other platforms' secrets for rapid remediation cascade analysis
• Least Privilege: Better-scoped NPM tokens could have slowed Shai-Hulud's spread
• Maximum Lifespans: Force rotation as a statistical backstop against undetected compromises
• Enumeration Monitoring: Detect systematic secret access before exfiltration completes

4. Runtime Security Monitoring

Detecting Shai-Hulud-style attacks requires behavioral monitoring:

• Unexpected execution of secret scanning tools (TruffleHog, git-secrets)
• Attempts to register self-hosted GitHub Actions runners
• Unusual GitHub API activity (mass repository creation)
• Package publication from non-standard processes

These capabilities require EDR solutions, not just network segmentation.

5. Lock File Enforcement

Configure CI pipelines to fail if lock files are missing or outdated. Lock files ensure builds use specific, tested package versions rather than pulling potentially compromised latest releases.

The Bigger Picture: What Shai-Hulud Teaches Us

Shai-Hulud 2.0 wasn't an isolated incident—it was the culmination of a 2025 attack wave that included the s1ngularity campaign (2,349 credentials stolen), GhostAction (3,325 secrets from GitHub workflows), and the Red Hat GitLab breach (570GB exposed).

The connection between campaigns suggests credential mutualization across attack waves: all Shai-Hulud 1.0 patient-zero packages had Nx as a dependency, indicating stolen NPM tokens from s1ngularity may have enabled the September attack.

This pattern reveals an uncomfortable truth: attackers are learning from each campaign and adapting. The window between initial compromise and widespread exploitation was under 4 hours. Manual review processes cannot match this velocity.

Conclusion

Shai-Hulud 2.0 represents a watershed moment in supply chain security. The combination of worm-like self-propagation, credential mutualization, AI-aware targeting, and infrastructure weaponization shows what the next generation of attacks will look like.

The industry is overdue for a fully weaponized multi-platform worm that leverages dozens of platforms instead of two. Shai-Hulud's limitation was deliberate, not technical. When that worm emerges, organizations without proactive defenses will face cascading compromise in hours.

Three immediate steps can significantly reduce exposure:

1. Implement dependency cooldowns (7-14 days)
2. Enforce lock files in CI/CD with pipeline failure on violations
3. Upgrade to security-focused package managers with built-in protections

The 2026 campaigns will be production-ready. The time to act is now.

Indicators of Compromise (IOCs)

Repository Indicators:

• Description: "Sha1-Hulud: The Second Coming"
• Name pattern: 18-character random alphanumeric string (e.g., zl8cgwrxf1ufhiufxq)
• Files: cloud.json, contents.json, environment.json, actionsSecrets.json, truffleSecrets.json

File Indicators:

• setup_bun.js
• bun_environment.js

Known Hashes:

• setup_bun.js: a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a
• bun_environment.js: 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0

Sources: GitGuardian Research, Dark Reading, Datadog Security Labs, Veracode Threat Research, Unit 42