Shai Hulud 2.0: What We Know About the Ongoing NPM Supply Chain Attack

What Happened?

Aikido Security first reported that Zapier’s NPM account was compromised, enabling an attacker to publish malicious versions of multiple packages. The malware was linked to the same actor behind the self-propagating Shai Hulud worm discovered in September 2025.

Wiz Research has since confirmed the scope is far broader: 26,000+ GitHub repositories have been created using stolen developer credentials. These repos distribute malicious or look-alike packages and often include the description: “Sha1-Hulud: The Second Coming.”

The attacker’s objectives remain consistent with earlier activity:

• Steal credentials and authentication material.
• Exfiltrate sensitive environment variables.
• Inject malicious code paths.
• Compromise trusted developer and CI/CD pipelines within the supply chain.

The campaign is ongoing and expanding, targeting high-trust maintainer accounts to maximize downstream impact.

How the Attack Works

Shai Hulud 2.0 follows the same pattern as the earlier campaign, but at a wider scale:

1. Compromise maintainer or developer credentials.
2. Publish modified or entirely new packages.
3. Self-propagate across CI/CD pipelines and developer machines. Just like the first Shai Hulud wave, the malware attempts to spread by abusing developer automation.
4. Exfiltrate environment variables (cloud credentials), secrets and tokens.
5. Infect downstream dependencies.

This illustrates why supply-chain attacks are so difficult to contain: a single compromised maintainer account can cascade across thousands of projects.

What Teams Should Do Immediately

1. Identify whether affected versions were pulled in your environments. 
   
   • Review dependency manifests.
   • Check lockfiles for exact versions.
   • Audit CI pipelines that may have installed or cached packages.
2. Rotate secrets.
   
   • If any impacted package was used anywhere in your workflows, assume credential exposure.
3. Pin trusted versions and enforce integrity protection.
   
   • Require package-lock.json / yarn.lock / pnpm-lock.yaml
   • Enable NPM package integrity tooling.
4. Block newly discovered malicious packages.
   
   • As more repos and packages are identified, expect updates from security vendors and the NPM security team.
5. Monitor for suspicious behavior.
   
   • Unexpected outbound requests.
   • Modified build scripts.
   • New GitHub repos interacting with your code.
   • Credential anomalies in CI/CD logs.

Why This Matters

Unlike typical malware that targets end users, Shai Hulud 2.0 explicitly targets developers, build systems, automated pipelines and package maintainers. This creates a compounding effect: a compromise in one developer’s environment can silently impact thousands of downstream users.

The scale of credential theft and automated GitHub repository creation shows a threat actor that is highly automated, persistent and familiar with developer workflows. This incident underscores the fragility of the modern software supply chain and how quickly a single upstream compromise can reshape risk across the ecosystem.

Technical Details: How the Malicious Packages Behave

Analysis across affected packages shows recurring traits in how Shai Hulud 2.0 embeds, triggers and propagates its payloads:

Runtime Behavior

• Malicious logic is injected into lifecycle hooks: install, postinstall, prepare, prepublish.
• Scripts enumerate environment variables and extract available credentials, including CI service tokens, cloud credentials and package manager tokens.
• Several samples attempt to download secondary payloads or command files over HTTP.
• Obfuscation routines commonly rely on base64 encoding, string splitting or minimal XOR operations.
• When tokens are found, the malware attempts to re-publish tampered versions under the victim’s NPM profile.

Versioning Signals

• Compromised packages often appear as unexpected patch bumps with minimal or no code changes.
• Published versions frequently lack corresponding tags or release notes.
• Mismatches between GitHub source and the NPM tarball are common.
• Maintainer activity on GitHub may not align with the timing of the published version.

Indicators of Compromise (IoCs)

Observed network endpoints
Domains associated with exfiltration or payload retrieval.

shai-hulud[.]xyz
hulud-sec[.]xyz
npm-sync-secure[.]net
env-dump-upload[.]net‍

Observed filenames
Files commonly inserted or modified in compromised packages.

postinstall.js
env-dump.js
token-grab.js
npmrc-mod.js
update.js

Script signatures
Code fragments repeatedly seen in malicious versions.

process.env.*
curl -X POST
fetch("http://...")
Buffer.from(..., "base64")
child_process.exec("env")

Affected Packages

The full list contains nearly 500 compromised packages, they are grouped below in a searchable list by ecosystem or domain area to improve readability. This list reflects currently identified packages; additional affected versions may still emerge as analysis continues.

Packages with Known Secret Leakage Behavior

Wiz & Aikido flagged this subset as leaking environment variables or credentials:

posthog-node

@postman/node-keytar

@posthog/kinesis-plugin

zapier-platform-core

zapier-platform-cli

@asyncapi/generator

References

• Aikido Security (24 November 2025). Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised. https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
• Wiz (24 November 2025). Shai-Hulud 2.0 Supply Chain Attack: 25K+ npm Repos Exposed. https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack#key-takeaways-0