Update: Shai-Hulud and the npm Ecosystem: Why CTEM Must Extend Beyond Your Walls

Shai-Hulud 2.0: The Supply Chain Crisis Escalates

***This post is an update from September 24, 2025¹***

The self-propagating worm, Shai-Hulud, has returned in a more aggressive variant, dubbed “Shai-Hulud 2.0” or “The Second Coming.”

This new wave targets the npm ecosystem, the backbone of modern web and enterprise applications. The attack has already compromised over 700 packages and exposed credentials in more than 25,000 GitHub repositories in an accelerating campaign. The worm, which harvests cloud credentials (AWS, GCP, Azure) and GitHub Personal Access Tokens, is scaling rapidly, with reports of 1,000 new compromise repositories being discovered every 30 minutes.

This confirms Shai-Hulud is just the latest in a growing wave of supply chain compromises. Gartner predicts that by 2026, 45% of organizations will experience attacks on their software supply chains; which is triple the number in 2021. Traditional “best effort” security and patching programs are no longer sufficient. When your business depends on open-source software, your attack surface expands far beyond the devices, pathways and systems you directly control.

Supply Chain Is the New Battleground

Modern software risk is massive. Ninety-four percent of applications rely on open-source components, and 84% of companies have suffered a software supply chain attack in the past year. These attacks spread quickly because today’s development ecosystem depends on public package registries like npm and automated CI/CD pipelines; where a single compromised dependency can cascade across thousands of organizations.

For enterprises, exposure goes far beyond patching internal systems. Your risk now spans developer workstations, code libraries, APIs, CI/CD pipelines, third-party services, and every partner in your development chain.

The Shai-Hulud 2.0 variant heightens this danger, introducing new and more aggressive tradecraft:

Shift in Execution Vector

Attackers have moved from relying solely on the postinstall hook to executing through the very functions and libraries your applications depend on. This significantly increases stealth and persistence. Modern CTEM is no longer a quarterly scan or static inventory exercise—it requires real-time, continuous assessment and response.

Comprehensive Software Inventory & Situational Awareness

A continuous asset intelligence database isn’t enough. You also need a complete software inventory that includes SBOM data and CI/CD pipeline metadata. This gives you the ability to track exactly which packages are in use and when they were introduced.

With Shai-Hulud, monitoring, detecting, and preventing CI/CD compromise moves from important to urgent. Treat CI/CD Runners as High-Risk Assets. Developer machines and self-hosted runners must be elevated to top-tier risk categories. They are now prime targets for persistence and lateral movement, and attacks like this will happen again.

Early Warning Across the Supply Chain

Threats like Shai-Hulud spread in hours, not months. Real-time early warning is critical, requiring enhanced monitoring capabilities and ability to automate when needed. Armis takes in your security products, your application security, as well with our Early Warning and CTEM service so that it can quickly detect this early in the kill chain.

Prioritization and Mitigation of Risk

In a supply chain attack, chasing every vulnerability is impossible. CTEM equips organizations to focus remediation where it matters most: assets linked to sensitive data, developer pipelines, and external-facing systems. Armis’ view is that all these risks should be at the finger tips for analysts. Allowing analysts to understand the risk, understand the impact and make Shai-Hulud and vulnerabilities like Log4Shell a simple process to detect and remediate.

Lessons from Shai-Hulud

This incident reinforces several critical hard truths for enterprises:

• Persistence Is the Goal: Your developers are now long-term targets. The worm maintains persistence by registering infected machines as self-hosted GitHub Actions runners and inserting a malicious workflow (.github/workflows/discussion.yaml) that enables ongoing remote code execution via GitHub Discussions.
• Nested Dependencies Are Weaponized: A single vulnerable library even five layers deep or something near trivial such as font colors  can compromise your entire business.
• AppSec Must Shift Earlier: Application security teams must integrate automated  ASPM in the whole process. If your tooling can’t detect malicious workflow files or tainted packages before they run, you’re already exposed.
• Threat Actors Are Escalating Their Intent: The malware includes destructive capabilities, including attempts to wipe the victim’s home directory if propagation or authentication fails.

Mitigation & Proactive Steps

Organizations must go beyond reactive patching and adopt proactive exposure management by:

• Building a living asset inventory with application security inventory with real-time updates.
• Correlating vulnerabilities to business-critical assets.
• Extending CTEM across third parties, APIs, and cloud ecosystems.
• Deploying Early Warning systems to detect threats before they spread.

Key Proactive Security Mandates

• Credential Revocation Mandate: Immediately revoke and regenerate all npm tokens, GitHub Personal Access Tokens (PATs), SSH keys, and cloud provider credentials that were accessible from any environment that installed an affected package version since November 21, 2025.
• Mandate Phishing-Resistant MFA: Enforce phishing-resistant Multi-Factor Authentication (MFA) on all developer and CI/CD accounts for platforms like npm and GitHub.
• Restrict Lifecycle Scripts: Implement policies to restrict or disable the execution of preinstall and postinstall scripts in CI/CD environments to mitigate this primary infection vector.
• Audit for Persistence Mechanisms: Actively audit repositories for unauthorized commits, newly created public repositories with “Sha1-Hulud: The Second Coming” in the description, and suspicious files like .github/workflows/discussion.yaml.

Recommended Immediate Action Steps

To contain the risk and prevent further infection, organizations should immediately undertake the following:

1. Audit GitHub and CI/CD Environments:
   • Search for newly created repositories with “Shai-Hulud” in the description.
   • Review all CI/CD workflows for unauthorized or suspicious commits referencing “hulud.”
   • Stop automatic new npm publishes under your organization until all environments and source code are reviewed and confirmed safe.
2. Check Developer Workstations:
   • Review all packages downloaded from NPM during the month of November.
3. Clear npm cache (Code Entry): Remove the npm cache and local node modules to ensure no compromised binaries are lingering.

 

This attack underscores a single truth: securing your enterprise today means securing the extended enterprise. That’s where CTEM delivers value: giving organizations the visibility, prioritization, and early warning needed to stay ahead of the next Shai-Hulud.

Conclusion

Cybersecurity isn’t an app problem, an endpoint problem, or an OT problem, it’s all of them, all at once. Defense now demands a unified platform, not scattered tools. Armis is built for this moment. Where Shai-Hulud moves across domains, Armis correlates them, linking software components, cloud access, device behavior, and identity signals to expose the full kill chain. Even if attackers slip past SAST, SCA, and supply-chain scanners, Armis can still catch the fallout: unusual outbound traffic from CI runners, suspicious token use, lateral movement, privilege spikes, and more.

Shai-Hulud isn’t the ultimate in supply-chain malware; it’s the starting point for faster, autonomous, identity-aware worms that will eventually reach physical systems and business-critical operations.
Enterprises that keep AppSec, CloudSec, IT, and OT in silos will fall behind. The only path forward is unified CTEM and CPS intelligence on a single platform that sees every asset, understands every relationship, and maps every attack path.
 

Additional Notes:

Indicators of Compromise (IOCs)

Check for  payload files – setup_bun.js and bun_environment.js.

This variant executes only during the preinstall phase. The malware creates the following files: cloud.json, contents.json, environment.json, and truffleSecrets.json. It also attempts to create a discussion.yaml file inside the GitHub workflow.  Check for these files.

Malware Hashes

Filename	SHA1
bun_environment.js	d60ec97eea19fffb4809bc35b91033b52490ca11
bun_environment.js	3d7570d14d34b0ba137d502f042b27b0f37a59fa
setup_bun.js	d1829b4708126dcc7bea7437c04d1f10eacd4a16

Some other checks:

• Monitor for Non-Standard Runtime Use: Detect the unexpected installation or use of the Bun runtime and the execution of specific payload files (setup_bun.js, bun_environment.js) as part of the malicious install chain.
• Detect Privilege Escalation Attempts: Monitoring must extend to anomalous behaviors like Docker privilege escalation attempts (mounting the host filesystem into a privileged container) to gain root access on Linux machines.

¹ https://www.armis.com/blog/shai-hulud-and-the-npm-ecosystem-why-ctem-must-extend-beyond-your-walls/