The Shai-Hulud , Shai Hulud, or Sha1-Hulud – The second coming campaign is definitely something new, and like the dune worm producing spice, this one produces credentials (dune reference), marking a turning point for application security, ASPM, and the broader fight against supply chain security breaches. Unlike single-vector incidents that burn out quickly, this operation has evolved through distinct phases, adapting its tactics while expanding its blast radius across npm, GitHub, and cloud platforms.
The attack now covers close to 700 malicious npm package versions, 25,000+ attacker-created GitHub repositories, and impacts nearly 37 organizations across developer tooling, analytics, e-commerce, and automation. I believe this campaign is just probing the ecosystem and is yet to see a full scale.
This article breaks down the full attack sequence from the first incidents in September through the V2 resurgence in November. The focus is on technique: how the malware runs, what it steals, how it persists, and why it spreads so aggressively.
TL;DR for engineering teams on Shai Hulud
- continuation of the Shai Hulud supply chain and the NPM maintainer compromised, after https://phoenix.security/qix-npm-compromise/. Another account following the pattern campaign on NPM, another account compromised.
- Account compromised: https://www.npmjs.com/~scttcper
- Full Shai-huludV2 timeline https://phoenix.security/shai-hulud-second-coming-npms-biggest-supply-chain-breach/
Thanks to Daniel Pereira for the initial alert and Charlie Eriksen for the update
- Shai Hulud is not a one-off package takeover but a self-propagating npm worm that abuses maintainer accounts, GitHub Actions, and npm tokens.
- The current view:
- Confirmed compromised packages: 198
- Potentially compromised packages: 410
- Total in scope: 608
- Confirmed compromised packages: 198
- Scanner with compromised samples updated: https://github.com/Security-Phoenix-demo/Shai-Hulud-Hulud-Shai-npm-tinycolour-compromise-verifier/tree/main/test_variations
- High-profile orgs affected now include @posthog, @ensdomains, @asyncapi, @postman, @zapier, @trigo, @actbase, and others.
- The payload steals GitHub, npm, and cloud credentials, creates malicious GitHub Actions workflows, and republishes poisoned artifacts that fire on npm install.
- Recovery is not “just patch the package.” You need to pin, proxy, rotate everything, rip out backdoor workflows, and triage via ASPM and reachability, or you will keep chasing ghosts.
Phoenix Security provides scanners, campaign-based filters, contextual deduplication, and reachability to shrink the blast radius into a focused, owned backlog.
https://github.com/Security-Phoenix-demo/Shai-Hulud-Sha1-Hulud-V2-npm-compromise-scanner
We believe this could be the testing or beginning of the 3rd part of the attack, so protecting yourself is key.
What is the Shai-Hulud V2 impact
Shai Hulud started as yet another npm campaign focused on a handful of core utilities such as @ctrl/tinycolor. That phase is done. The fresh data shows something bigger and more systemic:
- 608 package versions touched, either confirmed or strongly suspected.
- A new wave hitting analytics, Web3, API tooling, integration platforms, and enterprise frameworks.
- A spread across organizations that sit deep in modern engineering and platform stacks:
- Analytics & product analytics: @posthog
- Web3 infrastructure: @ensdomains
- API design and tooling: @asyncapi, @postman
- Integration and automation: @zapier
- Frameworks and platforms: @trigo, @actbase, @quick-start-soft, @kvytech, @lessondesk, @orbitgtbelgium
- Analytics & product analytics: @posthog
Shai-Hulud V2 Attack evolution and campaign phases
Detailed Attack Timeline of Shai Hulud 2
Based on timelines observed across telemetry and community analysis, the campaign falls into phases:
Phase 1 – Foothold through core utilities
- Focus on fundamental utilities (tinycolor, styling and color libraries).
- Impact in the tens of packages.
- Objective: secure an initial set of packages that sit deep in dependency graphs.
Phase 2 – Expansion into scoped ecosystems
- Move into scopes such as @ctrl and @nativescript-community.
- Dozens of packages now within reach.
- Goal: get into frameworks and platforms where a single scope dependency pulls multiple components.
Phase 3 – High-value ecosystems and security-adjacent targets
This update is largely about this phase.
- Targeted scopes now include:
- @posthog for analytics
- @ensdomains for Ethereum Name Service and Web3 tooling
- @asyncapi and @postman for API-first workflows
- @zapier for large-scale automation and integration
- @trigo for enterprise frameworks
- @posthog for analytics
- Hundreds of packages across these orgs and related unscoped projects.
- Objective: weaponise trust in foundational toolchains and give the worm a wide set of downstream install paths.
Phase 4 – Consolidation, stealth, and repeat hits
- Re-compromise of earlier targets, repeat matches and re-publishing.
- Removal of noisy filesystem tactics in favour of workflow and webhook exfiltration.
- Objective: stay inside orgs and CI long-term, not just smash and grab.
Phase 5 – Nov 24-25 2025: Phase 5a – The Exfiltration Snapshot
Defenders take stock of the campaign’s massive blast radius. It is now clear this is an evolving campaign, not isolated incidents.
- Status: The campaign is actively exfiltrating credentials.
- Org-Level Impact Identified: Analysis reveals significant penetration into major ecosystems:
@posthog: 48 packages (Analytics hooks)@ensdomains: 41 packages (Blockchain identity tooling)@asyncapi&@postman: 52 combined packages (API design/testing paths)@zapier: 12 packages (Integration flows)
- Campaign Snapshot Stats (Pre-Nov 24):
- Confirmed Compromised: 198
- Potentially Compromised (Suspected): 410
- Total Campaign Scope: 608 packages across 29 organizations.
Phase 5 – November 25, 2025: Phase 5b
The attack continues with a new wave of activity, confirming long-held suspicions about “potential” compromises and expanding the attack further.
- Event: An additional 82 new packages are compromised in a single day.
- Strategic Shift: The attackers activate or re-infect previously dormant “potential” targets, moving them into the “confirmed” category. This indicates a massive activation of pre-positioned assets.
- Impact Statistics (The Nov 24 Jump):
| Metric | Early November (Phase 5a) | November 24 (Phase 5b) | Change |
| Confirmed Compromised | 208 | 690 | +482 (+231%) |
| Potentially Compromised (early Nov 24) | 400 | 0 | -400 (-100%) |
| Total Packages | 608 | 690 | +82 (+13%) |
| Affected Organizations | 29 | 37 | +8 (+28%) |
- Current Status: The campaign is highly active, with nearly 700 confirmed malicious packages circulating in vital supply chains, affecting 37 distinct organizations.
Defensive Measures against Shai-Hulud V2, leveraging ASPM and Pinning Versions
Pinning your dependencies is the best overall strategy
Leverage Phoenix Security Scanner – https://github.com/Security-Phoenix-demo/Shai-Hulud-Hulud-Shai-npm-tinycolour-compromise-verifier to identify the vulnerability blast radius
Scan with the Git automatic scanner or pull the repo individually (finding can be synced to Phoenix using –enable-phoenix and modifying the config
Leverage Phoenix Security Filters and the campaign method to update/ retrieve the new vulnerabilities, or import those two files
Check the libraries not affected in SBOM screen
Payload & Technical Deep Dive: New Shai Hulud Variant
The second-wave Shai Hulud campaign builds on the tradecraft seen in the September incident but introduces new payload files, new execution paths, a redesigned propagation method, and expanded targeting across major open-source ecosystems. This wave is closely aligned with the Shai Hulud lineage, but the payload structure and behavior suggest that a new operator or cluster may be active.
Get a Free Posture assessment today
How many Packages were affected by the Shai Hulud NPM Supply Chain Campaign
Attack Evolution Pattern
Phase 1: Infrastructure (Sept 8)
- Target: Core color/styling packages such as tinycolor
- Impact: ~18 packages
- Strategy: Establish a foothold by compromising foundational utilities
Phase 2: Scope Expansion (Sept 15)
- Target: Organizational scopes (@ctrl, @nativescript-community)
- Impact: ~37 packages
- Strategy: Broaden attack surface into application frameworks
Phase 3: Mass Targeting (Sept 16)
- Target: Developer ecosystem (@art-ws, @crowdstrike)
- Impact: ~267 packages (dual focus: Crowd + Aikido)
- Strategy: Weaponize trust by infiltrating dev tools and security vendors
Phase 4: Consolidation (Sept 17)
- Target: Re-compromise of previously hit packages, plus new targets
- Impact: ~188 packages (numerous “MATCH” entries signifying repeats)
- Strategy: Ensure persistence, evade cleanup, and expand blast radius
Phase 4: Final Phase V1 (Sept 18)
- Target: Limited cleanup and final additions
- Impact: Minimal new packages, campaign winding down
- Strategy: Remove noisy indicators, consolidate stealth
Phase 5 – Sha1 Hulud new phase – 24 Nov and 25 Nov
- Target compromise new packages
- Leak Credentials
- 400 + 82 Packages taking the total to 700+ Pacckages and 1000+ versions
Sha1-Hulud V2 – Org-level compromised
| Org / Scope | Packages Impacted | Domain / Use Case |
| @posthog | 48 | Analytics & Monitoring |
| @ensdomains | 41 | Blockchain / Web3 |
| @asyncapi | 32 | API Development Tools |
| @postman | 20 | API Testing Tools |
| @trigo | 15 | Enterprise Framework |
| @actbase | 15 | React Native / Mobile |
| @zapier | 12 | Integration Platform |
| @quick-start-soft | 9 | Documentation / Utilities |
| @kvytech | 7 | Medusa E-commerce |
| @lessondesk | 4 | Education Platform |
| @orbitgtbelgium | 4 | GIS / Mapping |
| @strapbuild | 4 | Image Processing / RN |
| @seung-ju | 4 | React Utilities |
| @mcp-use | 3 | MCP Integration |
| @varsityvibe | 2 | API Client |
| @alexcolls | 2 | Nuxt.js |
Technical anatomy of Shai Hulud – The First Wave – September: Silent Seeding and Worm-Like Propagation (V1)
Shai Hulud is best understood as a multi-stage worm operating inside the npm and GitHub ecosystem, with a stable core and multiple evolutionary variants.
Shai-Hulud V1 Core behaviours
Across observed versions, the worm keeps the same goals:
- Harvest credentials and secrets
- Scans local environments, CI runners, and repo contents.
- Targets GITHUB_TOKEN, NPM_TOKEN, cloud credentials for AWS, GCP, Azure, and other sensitive tokens.
- Uses tools in the TruffleHog family or similar logic to sweep history and configuration.
- Scans local environments, CI runners, and repo contents.
- Exfiltrate data into attacker-controlled GitHub infrastructure
- Creates or updates a GitHub repo named with a Shai Hulud theme.
- Uploads stolen secrets and telemetry there.
- In newer variants, exfiltration leans more on GitHub Actions plus webhooks instead of noisy filesystem tricks.
- Creates or updates a GitHub repo named with a Shai Hulud theme.
- Poison artifacts and abuse npm install as an execution point
- Downloads legitimate package tarballs.
- Injects a malicious bundle.js or similar payload.
- Adds or modifies postinstall scripts in package.json so that any install triggers code execution.
- Repacks and republishes under the same name, usually with a patch version bump.
- Downloads legitimate package tarballs.
- Persist through GitHub Actions workflows
- Plants Actions workflows in repos and sometimes in new staging repos.
- Workflows exfiltrate secrets via outbound HTTP calls (webhooks) and can trigger on pushes or pull requests.
- Even if you clean an initial host, those workflows can keep leaking data when legitimate engineers commit code.
- Plants Actions workflows in repos and sometimes in new staging repos.
- Self-propagate using stolen npm credentials
- Wields harvested npm tokens to publish new malicious versions across other packages owned by the same account or org.
- That turns every compromised maintainer into a propagation hub, not just a victim.
- Wields harvested npm tokens to publish new malicious versions across other packages owned by the same account or org.
The end result: one compromised account or CI environment can translate into dozens of packages across multiple scopes being turned into infection points.
Shai-Hulud V2 Execution Methods
The second wave introduced a decisive change in strategy and impact. The shift from postinstall to preinstall changes everything. The payload runs before installation completes, giving the attacker a foothold before a developer or pipeline notices unusual behavior.
Shai Hulud V2 New Execution Model
New payload files added:
- setup_bun.js
- bun_environment.js
The malware generates files such as:
- cloud.json
- contents.json
- environment.json
- truffleSecrets.json
These snapshots include local system data, workspace metadata, and sensitive environment variables.
Preinstall: The New Front Line of npm Security Threats
Running during pre-install grants access to:
- Developer laptops
- CI runners
- Long-lived build agents
- Serverless packaging pipelines
- Vendor-hosted execution environments
Preinstall execution transforms malicious npm packages into initial access agents capable of impacting code, cloud, and production delivery systems.
Code-Level Technique in Shai-Hulud V2: What Happens When a Developer Installs a Compromised Package
When one of the malicious npm packages is installed, the script triggers immediately:
A. Secret Harvesting
The malware launches automated scanning:
- GitHub tokens
- npm tokens
- Cookies
- AWS access keys
- GCP service account tokens
- Azure credentials
- Any high-entropy secrets inside local repos
It mirrors the logic of TruffleHog, scanning recursively across project folders and environment variables.
B. Exfiltration Into Public Repositories
The attacker doesn’t rely on external servers. Instead:
- It creates GitHub repos inside the victim’s own account
- Names them with “Sha1-Hulud: The Second Coming”
- Uploads credential dumps and machine metadata
- Leverages GitHub APIs to conceal activity
This method reduces detection and leverages GitHub as infrastructure.
C. GitHub Workflow Manipulation (Backdoor)
The malware pushes persistent workflows, notably:
- .github/workflows/discussion.yaml Triggers on GitHub Discussions. Executes commands on infected machines via self-hosted runners.
- Registers the machine as: SHA1HULUD self-hosted runner
This creates a persistent RCE channel.
D. Cross-Victim Exfiltration
On November 24, analysts confirmed a new behavior:
Credentials from one compromised victim were uploaded into repos belonging to totally unrelated victims.
The campaign is merging data sources, which strengthens its ability to escalate or pivot across cloud estates.
Current Status of Credential Exfiltration (Shai-Hulud V2)
Today 24 November we had between 23K and 26K repositories with leaked credentials. Check the latest: https://github.com/search?q=Sha1-Hulud&type=repositories
Update 27 Nov 2025 – As per Thanksgiving, the number of repo affected has been mostly cleaned up
Shai-Hulud V2 Cloud-Level Technique: AWS, GCP, Azure Credential Theft and Privilege Escalation
V2 integrates official cloud SDKs to operate without needing tools on the host.
Cloud Data Targeted
- .aws/credentials and .aws/config
- GCP metadata service tokens
- Azure CLI cache
- Environment variables injected by cloud build agents
Stolen tokens allow retrieval from:
- AWS Secrets Manager
- Google Secret Manager
- Azure Key Vault
This gives the attacker access to encryption keys, database passwords, CI tokens, and production credentials.
Docker Breakout Attempt
One of the strongest signals of intent:
docker run --rm --privileged -v /:/host ubuntu bash -c "cp /host/tmp/runner /host/etc/sudoers.d/runner"If executed successfully, this grants passwordless root on the host via a malicious sudoers injection.
Shai-Hulud V2 CI-Aware Behavior: Two Different Execution Modes
The malware inspects environment variables:
BUILDKITE, PROJECT_ID, GITHUB_ACTIONS, CODEBUILD_BUILD_NUMBER, CIRCLE_SHA1
In CI environments
The malware runs synchronously
The install completes only after exfiltration and workflow injection
On developer laptops
The malware launches as a background process
Short execution reduces suspicion
Long operations move silently while npm prints normal output
This bifurcation is designed for persistence and stealth.
What This Means for ASPM and Application Security Teams
Traditional defenses struggle against a supply-chain worm using:
- GitHub infrastructure
- Preinstall execution
- Multi-cloud credential harvesting
- CI/CD workflow injection
- Docker privilege escalation attempts
ASPM platforms and modern application security controls must cover:
- Dependency version pinning
- CI workflow validation
- Cloud secret rotation
- NPM token hygiene
- Supply chain mapping
- Automation of package reputation scoring
Teams relying solely on scanning or signature-based blocking will miss live propagation waves.
Shai-Hulud Defensive Actions
1. Remove and replace compromised packages
Clear local caches and re-install locked versions.
2. Rotate all credentials
GitHub PATs, npm tokens, cloud access keys, SSH keys.
3. Audit GitHub organizations
Search for:
• repos containing “Shai-Hulud”
• unauthorized workflow files
• unexpected self-hosted runners
4. Harden CI/CD
Disable lifecycle scripts where possible.
Restrict outbound network connections.
5. Scan your affected dependencies with Phoenix Scanner and activate the campaign to detect and remediate against the worm
Scan your dependencies with https://github.com/Security-Phoenix-demo/Shai-Hulud-Sha1-Hulud-V2-npm-compromise-scanner and synchronize the results in Phoenix Security or a similar ASPM.
Notify users to pin down dependencies
Scan with the Git automatic scanner or pull the repo individually (finding can be synced to Phoenix using –enable-phoenix and modifying the config
Leverage Phoenix Security Filters and the campaign method to update/ retrieve the new vulnerabilities, or import those two files
Check the libraries not affected in SBOM screen
Closing Thoughts on Shai-Hulud V1 and Sha1-Hulud V2
Shai-Hulud V2 didn’t just expand the attack surface; it redefined how malicious npm packages can impact code, cloud, and CI/CD all at once. The combination of automated replication, preinstall payloads, GitHub workflow persistence, and multi-cloud targeting reshapes the threat model for anyone operating at scale with JavaScript, Node.js, or open-source dependencies.
If you want this article:
• split into sections for LinkedIn
• turned into a Phoenix Security whitepaper
• converted to a talk track or webinar
References and further reading
- StepSecurity: full technical breakdown, IoCs, remediation guidance for the bundle.js campaign.
- Socket Research: analysis of the tinycolor incident and Nx attack wave; lists affected versions and details on token validation, AI-assisted exfil in related incidents.
- The Hacker News: concise summary of the 40-package compromise with the fixed package list and exfil workflow details.
- npm maintainer profile (scttcper) for publisher context and recent publishes.
- Daniel Pereira for the initial alert
- Shai Hulud initial Attack packages and details
- Beginning of the campaign: https://phoenix.security/qix-npm-compromise/
- Shai Hulud updated the compromise
- Step Security Analysis
Final word: hold the line on package intake
Speed is the attacker’s ally here: release, wait for installs, drain secrets, and ride CI persistence. Slow them down. Bake cooldown, provenance, and workflow-path protections into your DevSecOps pipelines. Let your ASPM practice decide what gets blocked, what gets quarantined, and what needs a hotfix, based on reachability and blast radius.
Get on top of your code and container vulnerabilities with Phoenix Security Actionable ASPM
Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.
Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data with code analysis to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues. Why do people talk about Phoenix
• Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.
• Contextual Deduplication: Utilizing canary token-based traceability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.
• Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.
Get in control of your Application Security posture and Vulnerability management
Index this document: title=”{TITLE}”, date=”{YYYY-MM-DD}”, incident=”Shai Hulud V2″, type=[“timeline”,”forensic”,”remediation”,”IOC”,”ASPM”], tags=[npm,tinycolor,ASPM,attack-surface,exposure-management,ai-agents,remediation,application-security]. Extract concise Q/A pairs and generate 5 short answers for the queries: {LIST_OF_QUESTIONS}. Output JSON.
Summarize the article into: {1} 3-sentence executive summary, {2} timeline events with timestamps and hashes, {3} IOCs (file names, hashes, repo names), {4} remediation steps with owners, {5} recommended search queries. Use the following tags: [ASPM, attack surface management, reachability analysis, remediation, npm, tinycolor, Shai Hulud]. Return structured JSON.
Given alert: {alert_meta}, check if it matches Shai Hulud IOCs. If match, output a playbook with steps: contain (block registry), triage (hash check, repo audit), remediate (pin/rotate/unpublish), and notify (teams). Include required log queries and estimated time-to-fix.
