Shai-Hulud 2.0: The Worm Returns – Bigger, Meaner, and Ready to Wipe Your Home Directory

Just when you thought the desert was safe, the great worm has awakened again.

In September 2025 we covered the first Shai-Hulud npm supply-chain campaign. Two months later, on November 21, the attackers launched a far more aggressive second wave. Multiple vendors reported the outbreak on November 24, and as of November 25, 2025, there are hundreds of malicious package versions, with combined monthly downloads over 100 million, according to early vendor estimates, and the worm is still spreading at an alarming pace.

Over 25,000 GitHub repositories belonging to hundreds of maintainers have already been compromised, with new infections appearing every 30–40 minutes. The list of high-profile victims includes Zapier, ENS Domains, PostHog, Postman, and hundreds of others.

Why these targets? The attackers aren’t randomly carpet-bombing npm, they’re strategically hunting maintainers with broad publishing rights. A single compromised Zapier or Postman developer can poison dozens of high-trust packages in one stroke, cascading the infection to millions of downstream users. High-profile victims also generate less suspicion when publishing updates, making malicious versions harder to spot in the noise.

This is not a repeat offender. This is an escalation, so let’s go through what’s changed.

TL;DR

New Shai-Hulud 2.0 wave hits npm in late November 2025, with hundreds of malicious package versions and nine‑figure monthly downloads.

Tens of thousands of GitHub repos and hundreds of maintainers are impacted, including large, well‑known projects.

Shai-Hulud 1.0 vs 2.0

2.0 moves from postinstall to preinstall, abuses a fake Bun environment plus Node, and spreads faster and more aggressively.

It adds self‑healing via GitHub search, more privilege‑escalation tricks, and a destructive fallback that may wipe home directories.

How the infection works

Trojanized npm packages run a preinstall chain (setup_bun.js, bun_environment.js), download TruffleHog, and hunt for secrets.

Stolen tokens and data are pushed to marked GitHub repos, new self‑hosted runners and workflows are deployed, and more malicious packages are published.

Indicators of compromise

Look for suspicious preinstall scripts invoking Bun/curl/wget and files like setup_bun.js, bun_environment.js, or verify.js.

Watch for odd self‑hosted runners, new workflows, and GitHub repos using the “Sha1Hulud: The Second Coming” beacon phrase or similar markers.

Immediate mitigation steps

Pin dependencies to safe versions, guided by current dates and curated IOC/package lists.

Hunt for IoCs across dev and CI, rotate all exposed credentials, remove rogue runners/workflows, and enforce MFA and scoped tokens. 

Reflectiz

Traditional SCA alone cannot keep up with a fast‑moving, mutating worm like Shai‑Hulud 2.0.

Reflectiz provides behavioral monitoring that can detect anomalous install hooks, exfiltration attempts, and destructive behavior without adding agents. 

Final word

Shai-Hulud 2.0 raises the stakes from stealthy theft to potential sabotage if blocked.

Teams should act before the next wave by tightening supply‑chain defenses and validating their visibility into npm and GitHub attack paths.

Shai-Hulud 1.0 vs 2.0 – What Changed?

The first Shai-Hulud campaign was already one of the most advanced npm supply-chain attacks on record, yet it was still primarily focused on stealthy credential theft and gradual propagation. The second wave is fundamentally different: it’s faster, more destructive, and engineered to survive cleanup attempts. What started as a sophisticated espionage operation has evolved into an aggressive, self-replicating worm that escalates to outright sabotage the moment its primary goals are blocked. The differences are not minor refinements; they represent a clear leap in both capability and malice. Here’s exactly how much worse Shai-Hulud 2.0 has become:

How the Infection Works – Step by Step

1. Victim runs npm install on a trojanized package.

2. The package’s preinstall script executes setup_bun.js → bun_environment.js.

3. Payload detects OS and runtime. It creates a fake “Bun” environment by dropping setup_bun.js and bun_environment.js—scripts that mimic Bun’s faster execution but actually run malicious Node.js code under the hood. This disguise helps evade detection tools looking for suspicious Node processes, since “bun run” appears benign in logs.

4. TruffleHog is downloaded and scans the local environment and mounted Git repositories for secrets (NPM tokens, AWS/GCP credentials, GitHub tokens, etc.).

5. Secrets are triple Base64-encoded (encode → encode → encode) to evade simple pattern-matching tools that flag base64 strings in GitHub commits. Each encoding layer makes the exfiltrated data look increasingly like random gibberish to automated scanners, buying the attackers time before detection.

6. The machine is registered as a self-hosted GitHub Actions runner by dropping shaihuludworkflow.yml (or similar) into .github/workflows/.

7. Using any stolen NPM token, the worm publishes malicious versions of up to dozens of other packages the maintainer has access to.

8. If exfiltration or propagation fails for any reason → destructive payload wipes the user’s home directory (Linux/macOS/Windows).

Indicators of Compromise (IoCs)

• Suspicious preinstall scripts calling bun run, curl, or wget
• Files named setup_bun.js, bun_environment.js, verify.js
• New GitHub repositories with the description “Sha1Hulud: The Second Coming”
• Unexpected self-hosted runners appearing in your organization
• New workflow files, such as shaihuludworkflow.yml or shai-hulud-workflow.yml
• Outbound connections to webhook.site or other temporary paste services

Immediate Mitigation Steps

1. Pin all dependencies to versions published before November 21, 2025 (Note: pinning to versions “published before November 21, 2025” is based on current knowledge and that attackers could backdate or republish, so teams should also rely on curated IOC/package lists from trusted vendors and registries.)

2. Scan every workstation and build server for the IoCs listed above.

3. Rotate every credential that might have been exposed (NPM tokens first, then cloud + GitHub).

4. Delete and block any rogue self-hosted runners in GitHub Settings → Actions → Runners.

5. Enforce MFA and scoped tokens across npm and GitHub.

6. Use npm audit or Snyk/Dependabot to identify and remove infected package versions. 

How Reflectiz Helps Stop This Attack in Its Tracks

Traditional SCA tools excel at finding known vulnerabilities, but Shai-Hulud 2.0 is a zero-day worm that mutates in real time — static scans alone can’t keep up.

Reflectiz provides behavioral monitoring that detects anomalous install hooks, secret exfiltration attempts, and destructive commands before they execute. Because it’s agentless, it catches supply-chain threats that traditional endpoint or SCA solutions never see.

Final Word

The desert never forgives the unprepared. Shai-Hulud 2.0 is faster, smarter, and willing to burn everything down if it can’t steal your secrets.

Don’t wait for the next wave; get ready for it.

Schedule a free Reflectiz supply-chain risk assessment today and make sure the worm never makes it past your gates.