Shai-Hulud 2.0 Attack Compromises 25,000+ Repositories — Why Exposed Secrets Are the New Supply Chain Crisis

Read full article here: https://www.unosecur.com/blog/shai-hulud-2-0-supply-chain-attack-25k-repos-exposing-secrets/?utm_source=nhimg

The Shai-Hulud 2.0 npm supply chain attack represents one of the most widespread cloud identity breaches ever observed in the open-source ecosystem. Through hijacked npm packages, compromised maintainer accounts, and malicious pre-install scripts, the campaign silently extracted secrets, cloud credentials, GitHub tokens, CI/CD pipeline variables, and automation identities at unprecedented scale. More than 25,000 GitHub repositories were created to store exfiltrated credentials, with nearly 1,000 new repositories appearing every 30 minutes at peak activity.

This article analyzes the attack through the lens of Cloud Identity Security, explains exactly how the malware harvested and weaponized credentials, and highlights how posture, detection, and lifecycle automation through Unosecur reduce the long-term blast radius of supply chain breaches.

What Happened: A Timeline of the Shai-Hulud 2.0 npm Supply Chain Attack

Compromised npm Packages and Maintainer Accounts

Between November 21 and 23, 2025, attackers took over npm accounts and uploaded malicious versions of widely used packages. Because these libraries were deeply embedded across enterprise applications, CI/CD jobs, developer machines, and production build systems, malware execution began immediately during automated dependency installation.

Massive Credential Exfiltration via Pre-Install Hook

The modified packages triggered a pre-install execution payload, enabling the malware to run before installation completed. This guaranteed execution across:

• Developer laptops
• CI/CD runners
• Build automation
• Local development environments
• Production packaging pipelines

Once triggered, the attack harvested cloud credentials, GitHub tokens, SSH keys, npm publish tokens, service account keys, CI/CD secrets, and environment metadata.

Exfiltration to 25,000+ GitHub Repositories

Each infected machine created new GitHub repositories using stolen tokens and uploaded harvested JSON files such as environment.json and cloud.json. Credentials were mixed between victims to make attribution harder and ensure persistence even when repositories were removed.

How Shai-Hulud 2.0 Captured, Abused, and Weaponized Cloud Identities

1. Pre-Install Malware Execution

The initial payload executed before dependency installation completed, bypassing typical supply chain scanning controls.

2. Credential and Secrets Harvesting

The malware recursively harvested:

• AWS, Azure, and GCP credentials
• GitHub personal access tokens and GitHub App tokens
• CI/CD secrets (GitHub Actions, GitLab CI, Jenkins)
• Kubernetes secrets and kubeconfig files
• npm publish tokens
• SSH private keys and browser credential stores
• Metadata tokens from cloud instances

3. GitHub-Based Exfiltration

The campaign used stolen GitHub tokens to create repositories and upload stolen JSON credential files.

4. GitHub Workflow Backdoors and Persistence

Victim repositories were modified to include:

• Self-hosted CI runners labeled SHA1HULUD
• Workflows that executed remote commands triggered by Discussion events
• Temporary workflows that dumped GitHub secrets as artifacts

5. Self-Propagation via npm Maintainer Tokens

Using stolen npm tokens, the malware:

1. Downloaded the maintainer’s other packages
2. Injected the payload
3. Incremented version numbers
4. Published compromised versions

This allowed the malware to behave like a self-propagating worm across the npm ecosystem.

6. Destructive Fallback Mode

When replication or exfiltration failed, the malware switched to destructive behavior:

• Secure deletion of user directories
• Disk overwrite attempts
• Host privilege escalation via Docker breakout

Why This Attack Was So Effective: The Cloud Identity Security Dimension

The malware succeeded because it targeted the identity layer, where modern automation and cloud operations intersect. The damage window was amplified by four structural realities:

With valid machine credentials, attackers could:

• Assume cloud roles
• Access secret management systems
• Enumerate GitHub secrets
• Deploy long-term persistence mechanisms
• Escalate privileges inside multicloud setups

The blast radius was defined not by malware, but by the strength of identity security posture.

What Security Teams Must Do Immediately

1. Remove Malicious npm Packages

• Clear cache
• Delete node_modules
• Reinstall only versions published before November 21, 2025

2. Rotate All Secrets and Credentials

This includes:

• Cloud access keys
• Temporary tokens
• CI/CD credentials
• GitHub PATs, App tokens, deploy keys
• npm tokens
• SSH keys

3. Audit GitHub Organizations

Check for:

• Unknown workflows
• Unknown CI runners
• Suspicious branches
• Unauthorized artifacts
• Repositories created during compromise window

4. Harden CI/CD Pipelines

Recommended controls:

• Disable unnecessary lifecycle scripts
• Restrict outbound network access
• Pin dependency versions
• Enforce short-lived scoped credentials

5. Evaluate Cloud Identity Posture

Rotation alone does not resolve future risk. Organizations must eliminate:

• Long-lived secrets
• Overprivileged roles
• Unused identities
• Weak identity governance

How Unosecur Reduces the Blast Radius of Supply Chain Breaches

Unosecur is purpose-built for Machine Identity and Secret Security across cloud and SaaS environments. After events like Shai-Hulud 2.0, global teams rely on Unosecur to:

1. Map Exposed Credentials to Real Identities

Identify which leaked credentials belonged to:

• Production vs dev/test environments
• Automation vs human accounts
• Cloud vs SaaS vs CI/CD identities

2. Detect Identity Misuse with Behavior-Based ITDR

Spot suspicious activity such as:

• Unexpected role assumptions
• Secrets store access anomalies
• Unusual cloud-to-cloud access
• Dormant identity reactivation

3. Reduce Privilege Blast Radius

Automatically highlight:

• Excessive privileges
• Unused permissions
• Identity reuse across workloads
• Long-lived credentials

4. Accelerate Secure Cleanup

Provide remediation paths for:

• Key rotation
• Role modification
• Temporary privilege lockdown
• Identity owner assignment

Closing: The Shai-Hulud 2.0 Attack Was Not Just a Supply Chain Breach — It Was an Identity Breach

The campaign exposed a harsh reality: supply chain attacks quickly turn into cloud breaches because machine identities are the new perimeter. Developers don’t just install packages; they install software that touches secrets, and those secrets unlock everything.

Organizations that treat machine identities, secrets, tokens, and automation credentials as first-class security assets dramatically reduce the risk of repeat incidents.

The fastest path to resilience is now clear:

Secure every identity. Minimize every privilege. Shorten every secret. Monitor every behavior.

And that is exactly what Unosecur delivers.