The Shai-Hulud 2.0 campaign, dubbed The Second Coming by its operators, has emerged as one of the most aggressive npm supply chain attacks of the year. Between November 21 and 23, attackers compromised over 600 npm packages and more than 25,000 GitHub repositories in just a few hours, exposing thousands of sensitive developer and cloud credentials.
Unlike traditional malware that activates post-installation, Shai-Hulud 2.0 abuses the npm preinstall lifecycle script. This allows the malicious payload to execute even if the package installation fails, giving attackers early access into development environments. Using the Bun runtime instead of Node.js, the campaign evaded standard detection tools, exfiltrating credentials from AWS, Azure, GCP, SSH keys, GitHub tokens, and CI/CD secrets.
“The scale and sophistication of Shai-Hulud 2.0 highlights how quickly supply chain attacks can compromise developer environments and cloud infrastructure,” — Check Point Research
Once executed, the malware collects environment variables and cloud credentials into structured JSON files and uploads them to public GitHub repositories. It also establishes persistence by registering infected systems as self-hosted GitHub runners, inserting rogue workflow files, and enabling automated propagation across the JavaScript ecosystem. In some cases, a destructive failsafe can wipe local files if containment is detected.
The impact has been widespread. Check Point’s analysis identified 14,206 leaked secrets, including 2,485 still valid, affecting 487 GitHub organizations. Multi-cloud environments and developer pipelines were directly compromised, showing how dependency-level attacks can escalate into far-reaching breaches with long-term implications.
Security experts recommend immediate action for organizations using npm. Key measures include auditing dependency manifests and lockfiles, removing compromised packages, clearing caches, rotating all secrets, inspecting GitHub runners, and removing unauthorized workflow files. Preventive steps such as enforcing MFA, monitoring unexpected repositories, implementing SBOM-based scanning, and strengthening CI/CD isolation are also critical to mitigate future attacks.
Shai-Hulud 2.0 underscores the increasing complexity of supply chain threats and the need for robust, multi-layered security practices. Organizations are urged to review their development pipelines, adopt continuous monitoring, and proactively secure cloud credentials to prevent similar high-impact incidents in the future.
