Shai-Hulud: Inside a Persistent Secret-Leaking Campaign Targeting Enterprises

Read full article here: https://blog.gitguardian.com/shai-hulud-a-persistent-secret-leaking-campaign/?utm_source=nhimg

The Shai-Hulud campaign marks yet another evolution in the growing wave of software supply chain attacks targeting developers, CI/CD pipelines, and open-source ecosystems. Discovered on September 15, this attack compromised over 150 NPM packages, including @ctrl/tinycolor, using a combination of local environment secret extraction and malicious GitHub Actions workflow injections—a technique similar to the s1ngularity and GhostActions campaigns.

Secrets at the Heart of the Attack

GitGuardian’sinvestigation revealed that attackers harvested 278 secrets, with 139 temporary GitHub tokens, alongside AWS keys and NPM tokens. While many were revoked quickly, 37 valid credentials remained active, highlighting how non-human identities (NHIs) like API keys and tokens remain one of the biggest security blind spots in DevOps pipelines.

Worm-Like Propagation Extends the Threat

Unlike previous campaigns, Shai-Hulud behaves like a worm, spreading across any additional projects victims had access to. This persistence means even after initial containment, the campaign continued exfiltrating secrets. Attackers leveraged data.json exfiltration and workflow branch injections to maintain stealth and propagate laterally.

Proactive Defense with HasMySecretLeaked

In response, GitGuardian added all stolen credential fingerprints to its HasMySecretLeaked database. This free, privacy-preserving service allows developers to securely check whether their API keys, tokens, or credentials were exposed in the attack—without ever uploading the actual values. Paired with GitGuardian’s CLI scanning tools, security teams can identify compromised secrets at scale and immediately rotate them.

Lessons for DevSecOps and Open Source Security

The Shai-Hulud campaign reinforces three critical lessons for modern software supply chain defense:

1. Secrets remain the #1 attack vector — with over 83% of breaches tied to compromised credentials, this campaign highlights the urgency of proactive secret governance.
2. Supply chain attacks are becoming persistent worms, capable of spreading beyond initial infection points.
3. Visibility is key — without knowing where secrets live and how they are used, organizations cannot enforce rotation, expiration, or revocation.

The Bigger Picture: From Secrets Detection to NHI Governance

As attackers increasingly exploit the open-source ecosystem, proactive secrets detection and governance are essential. GitGuardian leverages one of the largest real-time secrets intelligence datasets, enabling rapid detection of leaked credentials and persistent campaigns like Shai-Hulud. By treating secrets as the backbone of Non-Human Identity (NHI) governance, organizations can prevent credential sprawl, enforce Zero Trust principles, and reduce supply chain risks.

Key takeaway

The Shai-Hulud attack isn’t just another package compromise—it’s a blueprint for how persistent, worm-like supply chain threats will evolve. Protecting against them requires visibility, automation, and proactive NHI governance.