Ethical Hacking News
The Shai-Hulud supply chain attack has compromised thousands of packages across npm and Maven ecosystems, exposing sensitive data to malicious actors. This campaign highlights the importance of robust security measures in place to prevent such incidents and serves as a wake-up call for developers and organizations to take proactive steps in protecting their software supply chains.
The Shai-Hulud supply chain attack has compromised thousands of packages and exposed sensitive data to malicious actors.The attack uses two components: "setup_bun.js" loader and the main payload "bun_environment.js" to gain unauthorized access to npm maintainer accounts.Over 28,000 repositories have been affected by the incident, with more than 5,000 files uploaded to GitHub containing exfiltrated secrets.The attackers exploited vulnerabilities in CI misconfigurations to pull off the attack and compromise projects associated with AsyncAPI, PostHog, and Postman.The attack highlights the importance of robust security measures in place to prevent such incidents, including continuous monitoring, vulnerability assessments, and secure coding practices.
The cybersecurity landscape has witnessed a significant escalation of threats in recent times, and one attack that stands out for its sophistication and impact is the Shai-Hulud supply chain attack. This campaign, which began in September 2025, has been spreading across various ecosystems, including npm and Maven, compromising thousands of packages and exposing sensitive data to malicious actors.
At the heart of this attack are two components: the "setup_bun.js" loader and the main payload "bun_environment.js." These components were first identified by the Socket Research Team in a Maven Central package named org.mvnpm:posthog-node:4.18.1, which embedded the Shai-Hulud v2 payload. The attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages, backdooring unsuspecting developers' machines and scanning for secrets.
The attack accomplishes this by injecting two rogue workflows: one that registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened, and a second workflow designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident, with more than 5,000 files uploaded to GitHub containing exfiltrated secrets.
The attackers have exploited vulnerabilities in CI misconfigurations in pull_request_target and workflow_run workflows, allowing them to pull off the attack and compromise projects associated with AsyncAPI, PostHog, and Postman. The vulnerability "used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run," security researcher Ilyas Makari said.
This attack is not an isolated incident but part of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm. The Shai-Hulud v2 malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation.
The attack's impact is significant, with hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure leaked. More than 11,858 unique secrets have been identified across 4,645 GitHub repositories as of November 24, 2025, out of which 2,298 remained valid and publicly exposed.
The attack also highlights the importance of robust security measures in place to prevent such incidents. Dan Lorenc, co-founder and CEO of Chainguard, said, "Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break." He emphasized that a single compromised maintainer and a malicious install script are all it takes to ripple through thousands of downstream projects in a matter of hours.
The techniques attackers use in these attacks don't rely on zero-days but exploit gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed, according to Chainguard. This requires a proactive approach to security, including continuous monitoring, vulnerability assessments, and secure coding practices.
The Shai-Hulud supply chain attack serves as a wake-up call for developers and organizations alike, highlighting the need for robust security measures and a culture of vigilance in the face of emerging threats. By understanding the tactics used by attackers and implementing effective countermeasures, we can reduce the risk of such incidents and protect against the devastating impact they can have on our digital lives.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shai-Hulud-Supply-Chain-Attack-A-Looming-Threat-to-Global-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
Published: Wed Nov 26 12:14:55 2025 by llama3.2 3B Q4_K_M
