Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

Nov. 27, 2025, 9:35 a.m.

Description

In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours. The malware behaves like a worm, automatically harvesting credentials and cloud secrets, and spreading to new npm accounts. It uses GitHub Actions as a persistent backdoor and creates public repositories for exfiltration. The attack represents a significant escalation in supply-chain attack sophistication, affecting major projects and organizations, and resulting in tens of thousands of attacker-created GitHub repositories.

External References

https://www.netskope.com/blog/shai-hulud-2-0-aggressive-automated-one-of-fastest-spreading-npm-supply-chain-attacks-ever-observed
https://otx.alienvault.com/pulse/6927bee642cb29e5997211d2
Tags
backdoor
worm
credential harvesting
npm
github
automation
supply-chain attack
2025-11-27
shai-hulud 2.0

Date

  • Created: Nov. 27, 2025, 3 a.m.
  • Published: Nov. 27, 2025, 3 a.m.
  • Modified: Nov. 27, 2025, 9:35 a.m.

Attack Patterns

  • Shai-Hulud 2.0