Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

Dec. 21, 2025, 6:07 p.m.

Description

In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours. The malware behaves like a worm, automatically harvesting credentials and cloud secrets, and spreading to new npm accounts. It uses GitHub Actions as a persistent backdoor and creates public repositories for exfiltration. The attack represents a significant escalation in supply-chain attack sophistication, affecting major projects and organizations, and resulting in tens of thousands of attacker-created GitHub repositories.

External References

https://www.netskope.com/blog/shai-hulud-2-0-aggressive-automated-one-of-fastest-spreading-npm-supply-chain-attacks-ever-observed
https://otx.alienvault.com/pulse/6927bee642cb29e5997211d2
Tags
backdoor
worm
credential harvesting
npm
github
automation
supply-chain attack
2025-11-27
shai-hulud 2.0

Date

  • Created: Nov. 27, 2025, 3 a.m.
  • Published: Nov. 27, 2025, 3 a.m.
  • Modified: Dec. 21, 2025, 6:07 p.m.

Indicators

  • f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068
  • cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd
  • 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0
  • a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a
Download all indicators here!

Attack Patterns

  • Shai-Hulud 2.0