Supply Chain Alert: Shai Hulud 2.0 Turns npm and GitHub Workflows Into Secret Pipelines

Executive Summary

The latest security campaign dubbed “Shai Hulud 2.0” exposes critical npm vulnerabilities by compromising popular packages used in developer environments. Malware hidden in these packages collects sensitive developer and CI/CD secrets during installation, sending them to attackers’ GitHub repositories. With over 26,000 affected repositories and frequent new infections, organizations must prioritize developer security and safeguard their pipelines against supply chain attacks.

 Read the full article from Entro Security here for comprehensive insights.

Main Highlights

Supply Chain Compromise

• A new wave of attacks exploits npm packages from popular platforms like Zapier, Postman, and more.
• Attackers run malware at the time of npm installation, leading to severe data breaches.

Secret Exfiltration

• The malware captures sensitive secrets, including developer credentials and CI/CD tokens.
• Exfiltrated data is then sent to malicious GitHub repositories named “Shai-Hulud” or similar.

Widespread Impact

• Research indicates over 26,000 repositories are compromised with rapid growth in infections.
• At peak times, roughly 1,000 new vulnerable repositories emerge every 30 minutes.

Identifying Leaks and Risks

• Entro Labs analyzed Shai Hulud–linked repositories to understand the actual secrets being leaked.
• The focus is on identifying non-human identities involved in these security breaches.

 Access the full expert analysis and actionable security insights from Entro Security here.