The Second Coming: How "Shai-Hulud 2.0" Unleashed a New Worm on the Developer Ecosystem

François-Henri Champagne

Jan 8, 2026

A New Level of Aggression
Just months after stealing millions in cryptocurrency, the "Shai-Hulud" supply chain attack has returned with a vengeance. Between November 21 and 23, 2025, this evolved malware campaign—dubbed "The Second Coming" by its creators—compromised hundreds of npm packages and infected over 25,000 GitHub repositories in a matter of hours.

Hijacking the Build Process
Unlike standard malware that waits to be run, Shai-Hulud 2.0 strikes early. It hides within trusted or lookalike npm packages and abuses the preinstall lifecycle script. This means the malicious code executes immediately when a developer tries to install a package, even if the installation itself fails.

Evasion via Bun
To bypass security scanners, the attackers employed a clever trick: they switched runtime environments. Instead of using Node.js, which most security tools monitor closely, the malware installs and runs on "Bun." This allowed it to operate under the radar while it systematically scraped environment variables, SSH keys, and cloud credentials (AWS, Azure, GCP).

Hiding Data in Plain Sight
In a brazen move, the attackers didn't use a traditional hidden server to collect stolen data. Instead, they uploaded the stolen secrets directly to public GitHub repositories labeled "Shai-Hulud: The Second Coming." By blending their data theft with legitimate GitHub traffic, they made detection significantly harder.

Worm-Like Spread
The malware didn't just steal data; it used the stolen credentials to propagate itself. It automatically published new malicious npm packages and registered infected machines as self-hosted GitHub runners, effectively turning victim environments into a breeding ground for further attacks.

Immediate Action Required
The scale of the breach is massive, with thousands of valid secrets exposed. Security experts warn that any organization using npm should assume potential exposure. Immediate steps include rotating all development secrets, auditing GitHub runners for unauthorized additions, and rigorously checking dependency manifests.

Latest from us

How "Free" VPNs Exposed 8 Million Users' AI Secrets

Security researchers have uncovered a massive privacy breach in which trusted "free" VPNs and browser extensions secretly harvested the sensitive AI conversations of over 8 million users.

Read article

Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

A new espionage campaign known as "Zoom Stealer" has compromised over 2 million browsers by using popular, functional extensions to secretly scrape sensitive data from professional meetings on Zoom, Teams, and Google Meet.