TL;DR: Shai-Hulud 2.0 compromised more than 640 npm packages with 132 million monthly downloads, created over 25,000 malicious GitHub repositories, and harvested GitHub, npm, AWS, GCP, and Azure credentials, according to Knostic. The attack shows that software supply chain worms now behave like identity abuse campaigns, not just malware incidents.
NHIMG editorial — based on content published by Knostic: LLMjacking: How Attackers Hijack AI Using Compromised NHIs
By the numbers:
- Over 640 npm packages with 132 million monthly downloads were compromised.
- The first Shai-Hulud wave compromised 180+ packages and stole $50 million in cryptocurrency.
- Wiz's analysis showed that compromised packages like @postman/tunnel-agent exist in 27% of cloud environments.
Questions worth separating out
Q: What breaks when npm package installs are allowed to execute code before inspection?
A: The control point disappears.
Q: Why do package manager credentials increase supply chain worm risk?
A: Because publishing rights become propagation rights.
Q: What do security teams get wrong about workflow runner persistence?
A: They treat runners as disposable build machinery instead of identities that can preserve access.
Practitioner guidance
- Classify package publishing tokens as governed NHI secrets Inventory npm, GitHub, cloud, and CI/CD credentials that can publish code or trigger workflows.
- Block preinstall execution where business risk allows Audit package installation pipelines for preinstall and install hooks, then decide where these scripts can be disabled or sandboxed.
- Harden self-hosted runners as persistent identities Treat self-hosted GitHub Actions runners as lifecycle-managed identities with strong isolation, monitored permissions, and explicit offboarding.
What's in the full article
Knostic's full analysis covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of the two-stage payload and why Bun-based execution evades common detection paths
- Indicators of compromise such as repository naming patterns, workflow changes, and package markers tied to propagation
- Defensive actions for npm, GitHub, and CI/CD environments, including rollback and rotation sequencing
- Observed scale data across compromised packages and infected repositories, useful for incident scoping
👉 Read Knostic's analysis of the Shai-Hulud 2.0 npm supply chain worm →
Shai-Hulud 2.0 and npm worms: what IAM teams should change?
Explore further
Package publishing rights are now a non-human identity problem, not just a developer hygiene problem: the worm succeeds because publishing credentials, workflow tokens, and repository permissions can be chained together faster than human review. The article shows that the attacker does not need a traditional exploit when non-human identities already have enough authority to republish code and create persistence. Practitioners need to treat package maintainers, CI runners, and automation tokens as governed identities with lifecycle state, not as incidental tooling.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: How should teams respond when a supply chain worm spreads through trusted packages?
A: Contain the publishing surface first. Revoke exposed tokens, rotate credentials, review repository creation and workflow changes, and roll back to known-clean package versions. Then scope the blast radius across developer environments, CI/CD systems, and any cloud accounts that shared the same secrets.
👉 Read our full editorial: Shai-Hulud 2.0 shows supply chain worms are now identity attacks