Notifications
Clear all
Topic starter
11/05/2026 8:17 pm
TL;DR: A new Shai Hulud-style supply chain campaign is abusing npm install time to harvest developer and CI/CD secrets, with researchers reporting more than 26,000 affected repositories and 8.4 million exposed secret findings, according to Entro Security research. The pattern shows that supply chain compromise now lands directly on NHI governance, where token scope, rotation, and revocation determine blast radius far more than package trust alone.
NHIMG editorial — based on research published by Entro Security.
By the numbers:
- 5% of affected repositories were responsible for 57.0%, or 57.0% of all exposed credentials.
- The malware captured roughly 1.4% cloud access keys and IAM roles, 15.6% Git hosting personal access tokens, and 79.9% SaaS and productivity tokens.
Questions worth separating out
Q: How should security teams reduce the risk of secret theft from npm supply chain attacks?
A: Security teams should assume install-time code can read any credential present in the build environment.
Q: Why do npm supply chain attacks often become NHI governance failures?
A: Because the attacker usually wants the credentials, not the application code.
Q: What is the difference between secret exposure and NHI compromise?
A: Secret exposure is the discovery or leak of a credential.
Practitioner guidance
- Isolate dependency installs from production secrets Run npm install in environments that do not contain long-lived cloud, Git hosting, or SaaS credentials.
- Inventory every NHI secret exposed to developer workflows Map GitHub tokens, cloud keys, CI/CD tokens, and AI service credentials to a named owner, purpose, and rotation path.
- Enforce immediate revocation on secret exposure Automate revocation when leaked credentials are detected in logs, repositories, or build artifacts.
That makes secret placement, runner isolation, and revocation automation first-order governance issues, not cleanup tasks?
👉 Read Entro Security's analysis of Shai Hulud 2.0 and NHI secret exposure →
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
11/05/2026 8:17 pm
A few things worth adding from our research at NHI Mgmt Group.
Supply chain compromise is now an identity governance problem, not just a software provenance problem. The key failure is not only that a package was compromised. It is that build and developer environments already contained tokens, keys, and automation credentials that could be stolen at scale. That makes the control plane for NHI governance the build system itself. Practitioners should treat package trust, secret sprawl, and access scope as one operating problem.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The State of Secrets Sprawl 2026.
- AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
A question worth separating out:
Q: When should teams prioritise CI/CD hardening over broader secret scanning?
A: Prioritise CI/CD hardening when pipelines can reach privileged credentials or deploy to production, because those environments often turn one leaked secret into many. Secret scanning still matters, but pipeline isolation, minimal token scope, and short-lived access reduce the number of credentials available to steal in the first place.
👉 Read our full editorial: Shai Hulud 2.0 turns npm installs into NHI secret exposure
