Скачать или смотреть Shai Hulud V2: Sha1Hulud the second coming - the New NPM supply chain Attack Hitting 700+ Packages

The npm ecosystem has been hit again. Shai Hulud — the first self-propagating supply chain worm discovered earlier this year — has resurfaced with a new, more advanced variant. This video breaks down what happened in the first attack, what’s new in the November 2025 wave, and why this matters for engineering, DevSecOps, and security teams responsible for protecting CI/CD pipelines and cloud environments.

Open source scanner with indicator of compromise: https://github.com/Security-Phoenix-d...

00:00 – Introduction: The Rise of Self-Replicating npm Worms
00:22 – Recap of the First Shai Hulud Campaign
00:41 – The New Variant: 400+ New Compromised Packages
01:02 – 608 Total Packages Impacted Across Both Campaigns
01:13 – How the Worm Works: Self-Replication & Credential Theft
01:23 – Persistence and Continuous Propagation
01:49 – New Payload Mechanics: Preinstall Scripts & setup_bun.js
02:14 – Targeted Ecosystems: Zapier, ENS Domains, Postman, PostHog, AsyncAPI
02:30 – Defending Against npm Supply-Chain Attacks
02:51 – Phoenix Scanner Update for Multi-File GitHub Analysis
03:14 – Payload, IOCs, and Blast Radius Overview
03:26 – Stolen Credentials & Large-Scale Repo Exposure
03:46 – Expect More Variants: Not the Final Wave
04:05 – Full Timeline & Attack Evolution Diagram
04:15 – Phoenix Security Advisory & Campaign Downloads
04:38 – How Teams Should Respond Now
04:55 – Key Takeaways & Defensive Actions

The earlier Shai Hulud attack compromised more than 500 npm packages, inserting Webpack-bundled malware, harvesting GitHub and cloud credentials, injecting GitHub Actions backdoors, and auto-publishing malicious versions using stolen maintainer tokens. It was the first time the JavaScript ecosystem saw worm-like propagation across maintainers.

The new variant pushes the threat further:
• Preinstall lifecycle execution
• New payload files: setup_bun.js, bun_environment.js
• Expanded targeting across PostHog, Postman, AsyncAPI, ENS Domains, Actbase, Trigo, Zapier and many more
• Multi-cloud credential harvesting (AWS, GCP, Azure)
• Secret exfiltration to attacker-controlled GitHub repos marked with Shai-Hulud identifiers
• GitHub Actions persistence via discussion-triggered backdoor workflows
• Docker-based privilege escalation attempts to gain root access on CI runners

Several organizations downloaded malicious packages before npm removed them, meaning active compromise windows are confirmed.

This video explains:

🔍 What happened in the first Shai Hulud campaign
• How maintainer accounts were hijacked
• How the worm auto-propagated via npm publish
• Why GitHub Actions were weaponised for persistence
• Which ecosystems were impacted

⚠️ What’s different in the new wave
• New payload design
• New execution model
• New ecosystems targeted
• GitHub self-hosted runner backdoor
• Cloud credential theft expansions
• Docker breakout attempts

🛡 How to protect your org
• Pin dependencies & freeze your lockfiles
• Disable lifecycle scripts in CI
• Route all installs through an internal registry/proxy
• Rotate all GitHub / npm / cloud credentials
• Hunt for discussion.yaml and formatter_*.yml implants
• Audit for exfiltration repos and unusual self-hosted runners
• Use ASPM + reachability analysis to understand blast radius

⸻
🔗 Full Scanner:
https://github.com/Security-Phoenix-d...

🔗 Full technical article + full package list

https://phoenix.security/shai-hulud-s...

🔗 Timeline of shai hulud V1 to V2

https://phoenix.security/shai-hulud-c...