Supply Chain Alert: Shai Hulud 2.0 Turns npm and GitHub Workflows Into Secret Pipelines

Read full article here: https://entro.security/blog/shai-hulud-2-0-zapier-github-and-the-worm-turning-npm-installs-into-secret-exposure-pipelines/?utm_source=nhimg

A new wave of Shai Hulud–style supply chain attacks has emerged, targeting popular npm packages from Zapier, ENS Domains, PostHog, Postman, and more. This malware executes during npm install, harvesting developer and CI/CD secrets before exfiltrating them to attacker-controlled GitHub repositories labeled “Shai-Hulud” or “Sha1-Hulud: The Second Coming.”

Security researchers report over 26,000 affected repositories spanning hundreds of users, with roughly 1,000 new repos appearing every 30 minutes at peak activity. Entro Labs analyzed these repositories to determine exactly what secrets were leaking and which Non-Human Identities (NHIs) were at risk.

What Happened: From Compromised Packages to Leaking Repos

Researchers from Aikido Security confirmed a new wave of npm compromises affecting widely used ecosystems, including Zapier automation packages, Postman components, PostHog libraries, and AsyncAPI tooling.

The Shai Hulud 2.0 playbook:

1. Hijack maintainer accounts – Attackers abuse publishing rights of trusted npm packages to release malicious versions.
2. Execute during install – The malware runs in the preinstall phase, triggering on dev machines or CI/CD pipelines without runtime execution.
3. Harvest secrets aggressively – Including:
   • Environment variables
   • Cloud metadata endpoints (/metadata-style URLs) for short-lived credentials
   • Secret scanning with tools like TruffleHog
4. Store secrets locally – Files like cloud.json, contents.json, environment.json, and truffleSecrets.json collect sensitive data.
5. Exfiltrate to GitHub – Secrets are pushed to attacker-controlled repositories, either using “Shai-Hulud” in the name or disguised descriptions.
6. Maintain campaign persistence – Attackers continuously create new repositories as long as compromised environments are installing tainted packages.

Every developer laptop, CI job, or build server that installs one of these packages becomes a worm host, with the secrets themselves as the payload.

Why Shai Hulud 2.0 Poses an Extreme Risk to Secrets and NHIs

This second wave is particularly dangerous because it targets install-time environments, which often contain the richest collection of secrets:

• Long-lived GitHub tokens, npm tokens, cloud credentials
• SaaS and AI tooling keys (Datadog, Atlassian, OpenAI)
• CI/CD agent tokens capable of publishing packages or touching production systems

Attackers are not targeting app logic—they are harvesting the identity layer.

The worm’s propagation logic creates immediate lateral movement, using discovered tokens to:

• Publish malicious versions of additional packages
• Flip private repositories to public
• Seed further environments for subsequent npm install executions

One particularly active attacker hub is the GitHub account “JenkinsGithubIntegration,” impersonating a Jenkins automation user while dumping exfiltrated secrets across hundreds of repositories.

Entro Labs Findings: The Scope of Secret Exposure

Entro Labs cloned and analyzed 26,000+ Shai Hulud 2.0–linked repositories to quantify actual secret exposure:

• 8.4 million secrets exposed – an average of 347 secrets per repository
• Top 5% of repos accounted for 57% of all exposed credentials

Most Frequently Exposed Secrets

• 2.27M URLs containing embedded credentials
• 1.11M GitHub OAuth tokens
• 747k Box tokens
• 615k JumpCloud credentials
• 386k Cloudflare API tokens
• 381k Artifactory access tokens
• 313k private key patterns
• 248k Docker Hub credentials
• 236k JWTs
• 168k CircleCI secrets

This is a systematic exfiltration, targeting SCM, CI/CD, IAM, storage, and edge infrastructure simultaneously.

Non-Human Identities Targeted

When Entro Labs categorized the leaks, the results showed NHIs as the primary victims:

• Cloud access keys & IAM roles: 1.4% (AWS, Azure, GCP)
• Git hosting Personal Access Tokens: 15.6% (GitHub, GitLab, Bitbucket)
• CI/CD & automation tokens: 3.0%
• SaaS & productivity tokens: 79.9% (Jira, Slack, Datadog, etc.)
• AI/agent credentials: 0.2% (OpenAI, Bedrock, Claude, etc.)

Notably, @zapier/mcp-integration (versions 3.0.1–3.0.3) was among the compromised packages, allowing the worm direct access to secrets used by AI agents integrated via MCP workflows.

What You Can Do: Early Detection and Secret Hygiene

Entro Labs has released a public checker at safe.entro.security to identify whether your GitHub repos, emails, or secret hashes appear in the Shai Hulud 2.0 dataset.

To mitigate future risk:

• Stop hardcoding secrets in code, build artifacts, and CI logs
• Audit pipelines and developer environments for exposed tokens
• Map secrets to NHIs and AI agents
• Rotate or decommission compromised credentials before malware can exfiltrate them

Shai Hulud 3.0: The Next Wave

Shai Hulud is not going away. Future variants will likely expand targets, repositories, and secret types. The only way to blunt their impact is reducing the attack surface: stop unnecessary secret exposure, enforce least privilege for NHIs, and implement continuous monitoring of developer and CI/CD environments.

With proactive secret management and NHI visibility, security teams can contain Shai Hulud–style worms before they exfiltrate critical credentials.