Shai-Hulud V2 Poses Risk to NPM Supply Chain

Dec. 3, 2025, 11:22 a.m.

Description

A second wave of the Shai-Hulud malware campaign, dubbed 'The Second Coming', has emerged targeting the npm ecosystem. This advanced software supply chain attack has compromised over 700 npm packages and created more than 27,000 malicious GitHub repositories. Shai-Hulud V2 introduces critical advancements such as pre-install phase execution, persistent backdoor access via self-hosted GitHub Actions runners, cross-victim credential recycling, and a destructive failsafe mechanism. The malware harvests credentials from various sources, exfiltrates data via GitHub, and propagates across the npm ecosystem. It also features a GitHub Actions backdoor for persistent remote code execution and includes specialized logic for exploiting Azure DevOps build agents.

External References

https://www.zscaler.com/blogs/security-research/shai-hulud-v2-poses-risk-npm-supply-chain
https://otx.alienvault.com/pulse/692ff914980b448aea448537
Tags
backdoor
supply chain
worm
exfiltration
credential theft
github
2025-12-03
shai-hulud v2

Date

  • Created: Dec. 3, 2025, 8:47 a.m.
  • Published: Dec. 3, 2025, 8:47 a.m.
  • Modified: Dec. 3, 2025, 11:22 a.m.

Attack Patterns

  • Shai-Hulud V2
  • Shai-Hulud