Shai Hulud v2 Malware

The second wave of the Shai-Hulud supply chain attack has now crossed into the Maven ecosystem, following the compromise of over 830 packages in the npm registry. Researchers identified a Maven Central package, org.mvnpm:posthog-node:4.18.1, which contains the same malicious components as the earlier npm attacks: the loader setup_bun.js and the payload bun_environment.js. Currently, this is the only known Java package affected.

Notably, the Maven package was not published by PostHog. Instead, it was generated through an automated mvnpm process that rebuilds npm packages as Maven artifacts. Maven Central has confirmed that all mirrored copies were purged as of November 25, 2025, and additional protections are being implemented to prevent compromised npm components from being republished.

Global Developer Impact and Attack Goals

This latest wave targets developers worldwide, aiming to steal sensitive data such as:

• API keys
• Cloud credentials
• npm and GitHub tokens

It also facilitates deeper supply chain compromise in a worm-like, self-replicating manner. This iteration of Shai-Hulud is more stealthy, aggressive, and destructive than the initial September variant. By compromising npm maintainer accounts, attackers can publish trojanized packages that backdoor developer machines and automatically scan for secrets to exfiltrate to GitHub repositories.

How the Malware Operates: Dual Workflows and Stealth Techniques

The attack leverages two malicious workflows:

• Self-hosted runner registration: Allows arbitrary command execution whenever a GitHub Discussion is opened.
• Secrets harvesting workflow: Systematically collects credentials and pushes them to GitHub.
• Key enhancements in Shai-Hulud v2 include:
• Use of the Bun runtime to conceal core logic
• Expansion of the infection cap from 20 to 100 packages
• Randomized exfiltration repositories on GitHub to evade detection

So far, over 28,000 repositories have been affected, demonstrating the sheer scale and stealth of the campaign.

Exploited Vulnerabilities and Supply Chain Mechanics

Threat actors have capitalized on CI misconfigurations in GitHub Actions workflows, particularly the pull_request_target and workflow_run triggers. A single misconfigured workflow can turn a repository into 'patient zero', enabling rapid propagation of malicious code.

The attack has targeted projects associated with AsyncAPI, PostHog, and Postman, continuing a broader campaign that began with the August 2025 S1ngularity attack, which impacted several Nx packages on npm.

The Fallout: Secrets Leaked and Systemic Risk

Analysis of the campaign shows:

• Hundreds of GitHub access tokens and cloud credentials from AWS, Google Cloud, and Microsoft Azure were exfiltrated.
• Over 5,000 files with secrets were uploaded to GitHub.
• Of 11,858 unique secrets identified in 4,645 repositories, 2,298 remained valid and publicly exposed as of November 24, 2025.

This demonstrates how a single compromised maintainer can trigger a cascade effect, infecting thousands of downstream applications.

Recommendations for Developers

To mitigate exposure, developers should:

• Rotate all API keys, tokens, and credentials
• Audit and remove compromised dependencies
• Reinstall clean package versions
• Harden CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement

Shai-Hulud underscores that the modern software supply chain remains highly vulnerable. Attackers continue to exploit gaps in how open-source software is published, packaged, and deployed, often without relying on zero-day vulnerabilities. The most effective defense requires rethinking how software is built, shared, and consumed.