Executive Summary

The Shai-Hulud 2.0 supply chain attack represents a critical escalation in cloud-native ecosystem threats, leveraging malicious modifications to hundreds of widely used npm packages to compromise developer environments, CI/CD pipelines, and cloud-connected workloads. Attackers exploited the npm package supply chain by injecting malicious scripts into the preinstall phase, enabling credential harvesting and exfiltration before security controls could intervene. The campaign’s automation and worm-like propagation led to the compromise of over 25,000 GitHub repositories and the exposure of hundreds of cloud credentials, including those used by major organizations such as Zapier, PostHog, Postman, and Trust Wallet.

Incident-specific advisories and blockchain forensics confirm that secrets compromised in this campaign were used to drain digital wallets, including a confirmed $8.5 million theft from Trust Wallet. The technical chain of compromise—beginning with npm package infection, credential theft, and culminating in direct financial loss—has been independently verified by multiple security vendors. The attack demonstrates the urgent need for robust supply chain security, credential hygiene, and rapid incident response across all organizations leveraging open-source dependencies and cloud infrastructure.

Technical Information

The Shai-Hulud 2.0 campaign is a sophisticated supply chain attack targeting the npm ecosystem. Attackers gained initial access by compromising maintainer accounts of popular npm packages, including those from Zapier, PostHog, and Postman. In some cases, phishing campaigns spoofing npm prompted developers to “update” multi-factor authentication (MFA) settings, capturing credentials and enabling unauthorized access to npm accounts (Palo Alto Networks Unit 42).

Once access was obtained, attackers injected a malicious preinstall script, setup_bun.js, into the package.json of affected packages. This script executed before any tests or security checks, maximizing the attack’s reach and evading traditional detection mechanisms (Microsoft Security Blog). The script checked for the presence of the Bun runtime, installing it if absent, and then executed bun_environment.js. This secondary script downloaded and installed a GitHub Actions Runner archive, configured a new repository, and registered a self-hosted runner named SHA1HULUD.

The malware bundled tools such as TruffleHog to scan for secrets and credentials within the environment. It targeted local configuration files (e.g., ~/.aws/credentials, ~/.azure/), environment variables, and cloud metadata services (IMDS) to extract temporary and long-term credentials for AWS, Azure, and Google Cloud Platform (GCP). The malware also harvested npm tokens, GitHub Personal Access Tokens (PATs), and SSH keys. Stolen credentials were exfiltrated to attacker-controlled public GitHub repositories, often under fake personas such as “Linus Torvalds,” with repository descriptions referencing “Sha1-Hulud: The Second Coming” (Wiz Blog).

The attack chain enabled persistent remote code execution via the self-hosted runner and allowed attackers to assume privileged roles in cloud environments, manipulate IAM policies, and maintain long-term access. In some cases, fallback mechanisms attempted to destroy user home directories if the malware was detected or interrupted. The campaign’s worm-like propagation was achieved by using stolen npm tokens to authenticate as compromised developers, identify other packages they maintained, inject malicious code, and publish new compromised versions, exponentially increasing the attack’s reach.

The impact of the campaign is significant. Over 700 npm packages were compromised, leading to the creation of more than 25,000 malicious GitHub repositories across approximately 500 users. Hundreds of cloud credentials were exposed, including 775 GitHub access tokens, 373 AWS credentials, 300 GCP credentials, and 115 Azure credentials. The attack enabled direct compromise of cloud environments, data theft, ransomware deployment, cryptomining, and, in the case of Trust Wallet, the theft of $8.5 million in digital assets.

The technical methods used in the attack map to multiple MITRE ATT&CK techniques, including T1195 (Supply Chain Compromise), T1059 (Command and Scripting Interpreter), T1136/T1078 (Create Account/Valid Accounts), T1552/T1555 (Unsecured Credentials/Credentials from Password Stores), T1567/T1537 (Exfiltration Over Web Service/Transfer Data to Cloud Account), and T1486/T1496 (Data Encrypted for Impact/Resource Hijacking).

Affected Versions & Timeline

The Shai-Hulud 2.0 campaign was first observed on November 24, 2025, with the earliest evidence of malicious repositories being created on GitHub at 01:22 UTC. The first malicious package versions were uploaded to npm around 03:00 UTC the same day. The campaign continued to propagate, with a second phase observed on November 25, 2025, involving the publication of private repositories using credentials compromised in the initial phase. By November 26, 2025, active abuse of leaked cloud and code keys was observed, including the use of AWS long-term credentials and GitHub PATs (Wiz Blog).

The primary malicious scripts, setup_bun.js and bun_environment.js, were active from November 24, 2025, to December 1, 2025 (Microsoft Security Blog). The campaign affected approximately 700 npm packages and resulted in the compromise of over 25,000 GitHub repositories.

The direct link to the $8.5 million Trust Wallet heist was established through incident-specific advisories and blockchain forensics, which confirmed that secrets compromised in the npm supply chain attack were used to drain wallets, including Trust Wallet, during the same timeframe.

Threat Activity

The Shai-Hulud 2.0 campaign demonstrated advanced threat activity across multiple stages of the attack lifecycle. Initial access was achieved through both direct compromise of npm maintainer accounts and credential-harvesting phishing campaigns. The use of malicious preinstall scripts allowed attackers to execute code before security controls could intervene, enabling the installation of the Bun runtime and execution of further malicious payloads.

Persistence was established by registering infected machines as self-hosted GitHub Actions runners, allowing attackers to execute arbitrary commands via specially crafted workflows. The malware’s credential harvesting capabilities were extensive, targeting local files, environment variables, cloud metadata services, and secrets managers across AWS, Azure, and GCP. Exfiltration was conducted via public GitHub repositories, with attackers using fake personas and obfuscated commit histories to evade detection.

The campaign’s worm-like propagation allowed it to infect additional npm packages maintained by compromised developers, publishing new malicious versions automatically and exponentially increasing the attack’s reach. The impact included direct compromise of cloud environments, theft of sensitive data, ransomware deployment, cryptomining, and, in the case of Trust Wallet, the theft of $8.5 million in digital assets.

Attribution to the Shai-Hulud threat actor is assessed with high confidence based on unique technical artifacts, consistent tactics, techniques, and procedures (TTPs), and independent confirmation by multiple security vendors. The link to the Trust Wallet heist is assessed with medium-high confidence, based on incident-specific advisories and blockchain forensics confirming the use of compromised secrets from the npm supply chain attack.

Mitigation & Workarounds

Critical mitigation steps include immediate review of all Key Vault assets and investigation of logs for unauthorized access. Organizations should rapidly rotate and revoke any exposed credentials, especially those associated with cloud environments, CI/CD pipelines, and developer accounts. Affected CI/CD agents or workspaces must be isolated to prevent further lateral movement.

It is essential to remove unnecessary roles and permissions granted to identities assigned to CI/CD pipelines, with a specific focus on access to key vaults and secrets managers. For npm maintainers, trusted publishing should be used instead of tokens, and publishing settings should be strengthened to require two-factor authentication (2FA) for all write and publishing actions.

Organizations should conduct a comprehensive audit of all npm dependencies, verify the integrity of installed packages, and monitor for the presence of known indicators of compromise, including setup_bun.js, bun_environment.js, and unauthorized GitHub Actions runners named SHA1HULUD. Commit signature verification should be enforced to prevent impersonation and unauthorized code changes.

Incident response teams must prioritize the identification and remediation of compromised credentials, with a focus on cloud provider keys, GitHub PATs, and npm tokens. All affected secrets should be rotated, and access logs should be reviewed for signs of unauthorized activity. Organizations should also implement continuous monitoring for anomalous activity in cloud environments and code repositories.

References

Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/

Wiz Blog: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

Palo Alto Networks Unit 42: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor supply chain risks, including those arising from open-source dependencies and cloud service integrations. Our platform enables continuous visibility into vendor and software supply chain exposures, supports automated risk assessments, and facilitates rapid response to emerging threats. For questions or further guidance, contact us at ops@rescana.com.