Shai-Hulud worm returns, belches secrets to 25K GitHub repos

Steven

Shai-Hulud worm returns, belches secrets to 25K GitHub repos

Summary

A wormable supply-chain campaign known as “Shai-Hulud” has resurfaced, with Wiz researchers reporting that more than 25,000 GitHub repositories exposed secrets within days of the latest infection wave. Trojanised npm packages — including packages attributed to vendors such as Zapier, AsyncAPI, ENS Domains, PostHog and Postman — were used to plant malware that scans for cloud and GitHub credentials and then publishes those credentials back to the victims’ own repositories.

Notably, the new variant executes during the pre-install phase, which raises the risk to build and CI/CD environments. The attack chain remains familiar: attackers gain access to maintainer accounts, publish trojanised packages that appear legitimate, and users who install those packages unknowingly trigger the compromise.

Key Points

  • The Shai-Hulud campaign has reappeared and caused over 25,000 repositories to leak secrets in a matter of days.
  • Trojanised npm packages came from packages tied to well-known projects and vendors, increasing reach via routine developer installs.
  • The malware executes in the pre-install phase, which can expose secrets in build and CI/CD pipelines as well as local environments.
  • Infected hosts are scanned for AWS, GCP, Azure and GitHub credentials; harvested secrets are published to the victim’s own GitHub repos.
  • GitHub is removing compromised repositories, but the worm’s rapid propagation complicates cleanup.
  • Immediate mitigations: clear npm cache, roll back to dependency builds from before 21 November, rotate credentials, search for suspicious commits or repos mentioning “hulud”, and harden CI/CD pipelines.
  • Registry and platform changes are underway (GitHub moving to FIDO-based authentication; npm disabling classic tokens and revoking them by 9 December) to reduce future risk.

Content summary

Wiz researchers observed attackers trojanising npm packages and publishing malicious versions that execute code during installation. The new behaviour — code running in the pre-install phase — significantly widens the blast radius because it can run in build servers and other automated environments where secrets are often accessible.

The current wave started on 21 November and had trojanised packages by 23 November; within a short window more than 25,000 repositories had leaked credentials back to attackers’ chosen locations. GitHub is actively deleting compromised repositories and registries are moving to tighten authentication and token handling, but remediation remains a manual, time-sensitive effort for affected teams.

Context and relevance

This incident is part of a broader surge in npm supply-chain attacks over the past year — frequent discoveries of malicious packages and token-farming campaigns show that ecosystem trust is under sustained pressure. For organisations that rely on npm, Node.js, and automated CI/CD, the threat is immediate: leaked cloud credentials can lead to account takeover, data exfiltration and further lateral attacks.

Operationally, defenders should treat any build or CI job that used affected dependencies between 21–23 November as high priority. The episode also reinforces the need for least-privilege secrets, ephemeral credentials in pipelines, automated secret-scanning, and strict maintainer account hygiene (strong auth, FIDO 2FA where possible).

Why should I read this?

Short version: if you touch npm, CI or cloud creds, this is your problem. Secrets are getting auto-published back into people’s repos — which means automated pipelines, dev machines and production credentials can all be at risk. Read the details so you can clear caches, roll back builds, rotate keys and hunt for signs of compromise before something worse happens.

Author note (style)

Punchy: This is big and fast-moving. If you manage code, pipelines or cloud keys, act now — the article and linked mitigations save you from chasing headaches later.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/24/shai_hulud_npm_worm/

Further reading / indicators of compromise: Wiz writeup on Shai-Hulud 2.0.