A sophisticated malware named Shai-Hulud 2.0 has compromised over 30,000 GitHub repositories since its emergence on November 24, 2025, marking a significant supply chain security breach. This worm-like malware targets the developer ecosystem, particularly the NPM package manager, and has spread across multiple platforms including Maven and OpenVSX, highlighting a growing threat to the tools developers rely on daily.
The Shai-Hulud 2.0 attack, as detailed by Wiz.io security analysts, infiltrates systems through poisoned NPM packages. The primary infection vectors identified are @postman/tunnel-agent version 0.6.7 and @asyncapi/specs version 6.8.3, which together account for over 60 percent of all infections. Researchers have stated that the malware self-propagates by searching for existing GitHub credentials within compromised environments and using them to upload additional malicious repositories, creating a cascading chain of infections.
Credential Harvesting and Persistence Mechanisms of Shai-Hulud 2.0
The infection chain begins when the malware, embedded within a compromised package, executes a pre-install script automatically during the package installation phase. This script is designed to establish persistence on the system and initiate its credential harvesting operations with minimal user intervention. The malware collects environment variables and system information, storing it in an environment.json file to create a detailed fingerprint of each compromised system. Analysis indicates that most infected machines are Linux-based containers, frequently found within CI/CD environments, with GitHub Actions being a leading targeted platform.
Shai-Hulud 2.0 has successfully stolen approximately 500 unique GitHub usernames and tokens from files within the compromised repositories, according to Wiz.io. Beyond these critical development credentials, the malware attempted to exfiltrate up to 400,000 secrets identified through Trufflehog scanning. However, the report notes that only about 2.5 percent of these scanned secrets have been verified as legitimate.
A critical aspect of the Shai-Hulud 2.0 attack is the validity of the exfiltrated credentials. Wiz.io researchers reported that over 60 percent of the leaked NPM tokens remain valid, posing an active and significant risk for further supply chain attacks. This represents a persistent threat as attackers can leverage these valid tokens to gain unauthorized access to sensitive codebases and infrastructure.
The malware’s attempts to harvest cloud secrets from AWS, Google Cloud, and Azure environments were hindered by implementation flaws. These flaws, specifically missing error handling, prevented the malware from successfully extracting secrets from multiple cloud providers simultaneously. Despite this limitation in cloud credential theft, local secrets and development-related credentials within the compromised environments remain fully compromised, affecting thousands of organizations globally.
The ongoing investigation into the Shai-Hulud 2.0 malware will likely focus on the full extent of its propagation and the potential impact of the stolen credentials. Developers and organizations utilizing the affected NPM packages are strongly advised to review their GitHub access tokens and immediately revoke any potentially compromised credentials. Further analysis is expected to reveal additional compromise vectors and potential mitigation strategies to safeguard against future supply chain attacks of this nature.