Shai-Hulud 2.0: Supply-Chain Attack Impacts Over 25,000 GitHub Repositories

Shai-Hulud 2.0: Supply-Chain Attack Impacts Over 25,000 GitHub Repositories

Independent investigations by Wiz, Sysdig, and other security teams have uncovered a renewed wave of supply-chain attacks known as Shai-Hulud 2.0 / Sha1-Hulud, targeting npm dependencies, GitHub repositories, and CI/CD ecosystems. The campaign spreads malicious code through compromised packages and attempts to exfiltrate tokens, keys, and configuration files from developer systems.

What Happened

• Multiple malicious npm packages impersonating legitimate libraries were published and distributed on GitHub.

• The malware is executed through preinstall lifecycle scripts, confirmed by Wiz and Sysdig.

• Attackers inject GitHub Actions workflows designed to steal sensitive data and send it to attacker-controlled repositories (The Hacker News).

• The campaign includes a self-replicating mechanism: infected repositories automatically create new malicious repositories (Wiz).

Scope & Impact

• Over 25,000 GitHub repositories show indicators of compromise or participation in the campaign (Wiz, Sysdig).

• Approximately 350 GitHub accounts were used to publish malicious repositories (Wiz).

• Researchers identified hundreds of malicious npm packages — estimates range between 600–700+ (Wiz, SafeDep).

• Propagation speed: up to ~1,000 new malicious repositories every 30 minutes (Wiz).

Business Impact

• Theft of GitHub and cloud credentials → risk of unauthorized access.

• Potential compromise of build pipelines through malicious dependencies.

• Lateral movement through developer machines and CI/CD environments.

• Disruption of trusted software supply-chain processes.

Why It Matters

Shai-Hulud 2.0 exploits several deeply trusted parts of modern development workflows:

• npm dependencies

• lifecycle hooks

• GitHub Actions workflows

• CI/CD processes

• developer workstations

This is an inside-out supply-chain attack — entering through the tools developers rely on every day.

DIAMATIX Expert Perspective

Following the reports and public indicators shared by security researchers, DIAMATIX has completed internal and customer-side verification procedures.

All DIAMATIX customers have been verified as safe.
No exposure, no affected systems and no indicators of compromise were detected within our customer environments.

We continue to monitor the situation closely and maintain proactive vigilance across all protected infrastructures.

Conclusion

Shai-Hulud 2.0 is one of the most significant npm supply-chain attacks to date. Strengthening dependency control, monitoring CI/CD pipelines, and protecting developer environments is essential for organizational resilience. DIAMATIX remains committed to providing trusted, innovative and vigilant protection.

Trusted · Innovative · Vigilant.

Contact DIAMATIX

Sources

• Wiz Research
• Sysdig
• SafeDep
• Docker
• The Hacker News