Ethical Hacking News
A sophisticated malware campaign known as Shai-Hulud has been discovered, exposing thousands of sensitive secrets across various ecosystems. The attack, first detected in September 2025, has now spread to Maven, posing a significant risk to individual developers and organizations relying on compromised packages. Learn more about this threat and how to protect yourself and your organization from such attacks.
The Shai-Hulud malware campaign has exposed thousands of sensitive secrets across various ecosystems.The attack targets repositories on GitHub, npm, and other software distribution platforms.The attackers exploited vulnerabilities in GitHub Actions workflows to compromise projects associated with AsyncAPI, PostHog, and Postman.The malware can spread quickly and silently across the supply chain, backdoor machines, and exfiltrate secrets using stolen tokens.Over 5,000 files were uploaded to GitHub with exfiltrated secrets, with 11,858 unique secrets identified across 4,645 repositories.The attack highlights the importance of robust security measures within the supply chain and ecosystem.
The cybersecurity landscape has been hit by a sophisticated malware campaign known as Shai-Hulud, which has resulted in the exposure of thousands of sensitive secrets across various ecosystems. The attack, first discovered in September 2025, has now spread to other popular software distribution platforms, including Maven. This malicious campaign is not only a threat to individual developers but also poses a significant risk to the larger supply chain and ecosystem as a whole.
According to recent reports, the Shai-Hulud malware campaign targets various repositories on GitHub, npm (the popular JavaScript package manager), and other software distribution platforms. The attackers have used vulnerabilities in GitHub Actions workflows to pull off this attack. Specifically, they exploited vulnerabilities in the `pull_request_target` trigger in existing GitHub Actions workflows to compromise projects associated with AsyncAPI, PostHog, and Postman.
One of the most significant aspects of this attack is its ability to spread quickly and silently across the supply chain. The malware can backdoor machines and scan for secrets and exfiltrate them to GitHub repositories using stolen tokens. This stealthy execution capability makes it a formidable threat to both developers and organizations relying on compromised packages.
The attackers have also shown an increased focus on credential breadth, with hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure leaked during the campaign. In total, more than 5,000 files were uploaded to GitHub with exfiltrated secrets, with GitGuardian's analysis revealing that 11,858 unique secrets were identified across 4,645 GitHub repositories.
The Shai-Hulud malware campaign is just one example of how a single compromised maintainer and a malicious install script can ripple through thousands of downstream projects in a matter of hours. The campaign demonstrates the ease with which attackers can exploit vulnerabilities in open-source software publication and packaging processes to compromise large numbers of packages.
To combat this threat, cybersecurity experts recommend that users rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. Organizations must also prioritize changing the way software gets built and consumed to prevent similar attacks in the future.
This attack highlights the importance of robust security measures within the supply chain and ecosystem. The Shai-Hulud malware campaign serves as a reminder that no single system is immune to such threats, and it underscores the need for vigilance and proactive defense strategies across all layers of the software development process.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shai-Hulud-Supply-Chain-Attack-A-Sophisticated-Malware-Campaign-Exposes-Thousands-of-Secrets-ehn.shtml
https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
https://blog.checkpoint.com/research/shai-hulud-2-0-inside-the-second-coming-the-most-aggressive-npm-supply-chain-attack-of-2025/
https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
https://cybersecuritynews.com/apt35-hacker-groups-internal-documents/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Wed Nov 26 22:30:06 2025 by llama3.2 3B Q4_K_M
