What Shai-Hulud 2.0 Did and Why It Matters
The first Shai-Hulud worm was disclosed in September 2025 — Unit 42's timeline and CISA's advisory catalogued over 500 compromised packages and identified the credential-harvesting phishing campaign that seeded it. That was unprecedented at the time.
Shai-Hulud 2.0, or "The Second Coming," surfaced on November 24, 2025 and was more automated, more aggressive, and more destructive. Datadog Security Labs and Microsoft's December 9, 2025 security blog documented the mechanics:
- When a compromised package is installed, a preinstall script drops two malicious files (`setup_bun.js` and `bun_environment.js`).
- The script harvests local credentials: npm tokens, Git credentials, AWS, Google Cloud, and Azure cloud-provider secrets.
- Stolen credentials are exfiltrated to a public GitHub repository tagged "Sha1-Hulud: The Second Coming."
- Using the stolen npm token, the worm identifies other packages maintained by the compromised developer and automatically publishes backdoored versions — up to 100 packages per infected developer.
- Destructive fallback. If the worm cannot exfiltrate data or propagate (no GitHub or npm token, blocked network egress), the payload overwrites and deletes all writable files in the developer's home directory.
Elastic, Sonatype, and ReversingLabs all produced independent technical writeups within the first 48 hours, and the community-maintained dont-be-shy-hulud defense guide on GitHub became the de facto remediation reference.
Why npm Revoked All Legacy Tokens
On December 9, 2025, npm took the rare step of mass-revoking all "classic" legacy tokens across the registry. Per Microsoft's analysis, the reasoning was straightforward: classic tokens provided broad, long-lived publishing authority that the worm used to propagate faster than manual revocation could keep up. By forcing every maintainer onto scoped, time-limited tokens, npm removed the primary accelerant.
This is the most consequential structural change in the npm ecosystem in years. Every CI/CD pipeline that published a package using a classic token broke on December 9. The scramble to migrate — and the pipelines that are still broken today because no one noticed — is itself a supply-chain hygiene indicator.
What Every Engineering Team Must Do in 2026
The worm's mechanics generalize beyond a single incident. Any future npm-style worm will follow the same template: compromise one maintainer, steal their token, push backdoored versions of their packages, repeat. Defense therefore has to be structural, not reactive.
- Retire classic npm tokens everywhere. Audit every CI/CD pipeline, developer workstation, and credential store for `_authToken` entries in `.npmrc` files. Replace with granular access tokens (GATs) scoped to specific packages with short expiry windows, or with trusted-publisher flows (OIDC) where available.
- Phishing-resistant MFA for every maintainer account. The original Shai-Hulud compromise traced back to a phishing campaign spoofing npm MFA updates. Hardware FIDO2 keys for npm, GitHub, and any package registry account are now the minimum bar for anyone publishing code that downstream users install.
- Disable preinstall and postinstall scripts by default. `npm install –ignore-scripts` should be the default in CI/CD, not an exception. Run scripts only for vetted packages via an allowlist. Many organizations configure this in an `.npmrc` shared across the fleet.
- Move to ephemeral CI/CD credentials. Long-lived tokens in pipelines are how this class of attack moves laterally into the build system. Short-lived, workload-identity-bound credentials (OIDC from GitHub Actions to npm, IAM role federation to cloud) remove the standing attack surface.
- Detect preinstall anomalies in CI. Monitor install-time network calls, file writes to `$HOME`, and unexpected GitHub repository creations from CI runners. Datadog, Elastic, Snyk, Socket, and Aikido all published detection rules for Shai-Hulud 2.0 indicators that can be adapted to future variants.
- Pin dependency versions with lockfiles. `package-lock.json` or `pnpm-lock.yaml` prevent opportunistic pulls of a just-published malicious version. Combined with signed provenance via npm's sigstore integration, this meaningfully raises the bar.
- Maintain a quarantined install environment for first-run tests. New dependencies should be installed first in an isolated VM with no persistent credentials. Any package whose install phase reaches out to an unexpected network endpoint or writes outside its directory should trigger investigation before it lands in the main environment.
Advertisement
The Immediate Response Playbook If You Think You Are Infected
If a developer suspects Shai-Hulud 2.0 (or a variant) is active on their machine, the StepSecurity incident guidance and Microsoft blog converge on three immediate actions:
- Do not run `npm install` on any project. If possible, disconnect from the network. This prevents both further propagation and triggering the destructive fallback if the payload has not yet completed.
- Revoke all developer tokens — npm, GitHub, AWS, Google Cloud, Azure — immediately. Revoke first, then rotate. If you rotate before revoking, the worm can steal the new credentials.
- Clean the machine before rotating credentials. Reinstall the OS or restore from a known-clean backup. Only issue new credentials once the development environment is verifiably free of the payload.
For organizations, add: publish a CISO advisory to the engineering org within 24 hours, check all shared package publishing credentials, and audit the last 30 days of new packages published from organizational accounts.
What This Means for the Broader Supply Chain Conversation
Dark Reading's 2026 supply-chain worm outlook makes the structural point bluntly: Shai-Hulud demonstrated, at scale, that the package ecosystem has a replication mechanism available to any sufficiently motivated attacker. npm was first because of its size and preinstall-script permissiveness, but PyPI, RubyGems, Maven Central, and NuGet share structurally similar weaknesses.
Three directional changes should be on every CISO's 2026 dashboard.
- Treat package registries as production supply chain infrastructure. Access, auditing, and hygiene should receive the same rigor as production databases.
- Adopt signed provenance wherever available. npm's sigstore integration, Python's PEP 740 trusted publishers, and similar programs in other ecosystems close the accountability gap.
- Ask vendors about their package-registry hygiene. Third-party risk assessments in 2026 should include specific questions about MFA, token scopes, and provenance signing on the vendor's own build pipelines.
Where This Leaves Engineering Teams
Shai-Hulud 2.0 is the clearest supply-chain incident most engineering leaders have ever seen, and it will not be the last. The defensive work — token migration, phishing-resistant MFA, `–ignore-scripts`, provenance — is well-understood, increasingly instrumented, and free or cheap in every case. The organizations that treated the November 2025 incident as a wake-up call are in fundamentally better shape than those that treated it as someone else's problem. The question for every CTO reading this in April 2026 is simple: how many of the steps in the playbook above have actually shipped?
Frequently Asked Questions
Is my organization at risk even if we don't publish npm packages?
Yes. Consumers of npm packages are the primary victims of a worm like Shai-Hulud — the destructive fallback triggers on the developer's machine during `npm install`. Any organization running Node.js projects, CI/CD pipelines that install dependencies, or developer workstations with npm is inside the blast radius regardless of whether it publishes packages of its own.
What is the difference between Shai-Hulud 1 and Shai-Hulud 2.0?
Shai-Hulud 1, disclosed in September 2025, compromised over 500 npm packages and traced back to a credential-harvesting phishing campaign spoofing npm MFA updates. Shai-Hulud 2.0, surfaced November 24, 2025, was significantly more automated: it runs during the preinstall phase before any security checks, backdoors up to 100 packages per infected developer automatically, and includes a destructive fallback that overwrites the developer's home directory if exfiltration fails. Together they affected hundreds of unique packages and thousands of GitHub repositories.
Does this affect Yarn, pnpm, or other package managers?
Yes, because the worm targets the underlying package metadata (preinstall scripts and maintainer credentials), not the specific installer. Yarn and pnpm users installing from the npm registry are exposed to the same backdoored packages. The defensive recommendations — disable preinstall scripts by default, retire classic tokens, use hardware MFA, pin lockfiles — apply to all three package managers.
Sources & Further Reading
- The Shai-Hulud 2.0 npm Worm: Analysis, and What You Need to Know — Datadog Security Labs
- Shai-Hulud 2.0: Guidance for Detecting, Investigating, and Defending — Microsoft Security Blog
- "Shai-Hulud" Worm Compromises npm Ecosystem — Unit 42 (Palo Alto)
- Navigating the Shai-Hulud Worm 2.0 — Elastic Security Labs
- Understanding the Shai-Hulud npm Worm Attack — Sonatype
- Shai-Hulud 2.0 is Spreading. Here's What You Need to Know — ReversingLabs
- Widespread Supply Chain Compromise Impacting npm Ecosystem — CISA
- Shai-Hulud: Self-Replicating Worm Compromises 500+ NPM Packages — StepSecurity
- Supply Chain Worms in 2026: What Shai-Hulud Taught Attackers — Dark Reading
- dont-be-shy-hulud — Community Defense Guide (GitHub)
🔗 Related Intelligence
Securing the Software Supply Chain: Sigstore, SLSA, and the New Container Trust Model
Open Source Security: Supply Chain Attacks and the Growing Crisis
The IoT Botnet Crisis: How Billions of Connected Devices Became the Internet’s Biggest
Prompt Injection Attacks: The Security Hole That Comes With Every AI Application
