Shai Hulud V2: Sha1Hulud the second coming - the New NPM supply chain Attack Hitting 700+ Packages скачать в хорошем качестве

Shai Hulud V2: Sha1Hulud the second coming - the New NPM supply chain Attack Hitting 700+ Packages

The npm ecosystem has been hit again. Shai Hulud — the first self-propagating supply chain worm discovered earlier this year — has resurfaced with a new, more advanced variant. This video breaks down what happened in the first attack, what’s new in the November 2025 wave, and why this matters for engineering, DevSecOps, and security teams responsible for protecting CI/CD pipelines and cloud environments. Open source scanner with indicator of compromise: https://github.com/Security-Phoenix-d... 00:00 – Introduction: The Rise of Self-Replicating npm Worms 00:22 – Recap of the First Shai Hulud Campaign 00:41 – The New Variant: 400+ New Compromised Packages 01:02 – 608 Total Packages Impacted Across Both Campaigns 01:13 – How the Worm Works: Self-Replication & Credential Theft 01:23 – Persistence and Continuous Propagation 01:49 – New Payload Mechanics: Preinstall Scripts & setup_bun.js 02:14 – Targeted Ecosystems: Zapier, ENS Domains, Postman, PostHog, AsyncAPI 02:30 – Defending Against npm Supply-Chain Attacks 02:51 – Phoenix Scanner Update for Multi-File GitHub Analysis 03:14 – Payload, IOCs, and Blast Radius Overview 03:26 – Stolen Credentials & Large-Scale Repo Exposure 03:46 – Expect More Variants: Not the Final Wave 04:05 – Full Timeline & Attack Evolution Diagram 04:15 – Phoenix Security Advisory & Campaign Downloads 04:38 – How Teams Should Respond Now 04:55 – Key Takeaways & Defensive Actions The earlier Shai Hulud attack compromised more than 500 npm packages, inserting Webpack-bundled malware, harvesting GitHub and cloud credentials, injecting GitHub Actions backdoors, and auto-publishing malicious versions using stolen maintainer tokens. It was the first time the JavaScript ecosystem saw worm-like propagation across maintainers. The new variant pushes the threat further: • Preinstall lifecycle execution • New payload files: setup_bun.js, bun_environment.js • Expanded targeting across PostHog, Postman, AsyncAPI, ENS Domains, Actbase, Trigo, Zapier and many more • Multi-cloud credential harvesting (AWS, GCP, Azure) • Secret exfiltration to attacker-controlled GitHub repos marked with Shai-Hulud identifiers • GitHub Actions persistence via discussion-triggered backdoor workflows • Docker-based privilege escalation attempts to gain root access on CI runners Several organizations downloaded malicious packages before npm removed them, meaning active compromise windows are confirmed. This video explains: 🔍 What happened in the first Shai Hulud campaign • How maintainer accounts were hijacked • How the worm auto-propagated via npm publish • Why GitHub Actions were weaponised for persistence • Which ecosystems were impacted ⚠️ What’s different in the new wave • New payload design • New execution model • New ecosystems targeted • GitHub self-hosted runner backdoor • Cloud credential theft expansions • Docker breakout attempts 🛡 How to protect your org • Pin dependencies & freeze your lockfiles • Disable lifecycle scripts in CI • Route all installs through an internal registry/proxy • Rotate all GitHub / npm / cloud credentials • Hunt for discussion.yaml and formatter_*.yml implants • Audit for exfiltration repos and unusual self-hosted runners • Use ASPM + reachability analysis to understand blast radius ⸻ 🔗 Full Scanner: https://github.com/Security-Phoenix-d... 🔗 Full technical article + full package list https://phoenix.security/shai-hulud-s... 🔗 Timeline of shai hulud V1 to V2 https://phoenix.security/shai-hulud-c...