Full Report
A deeper look at the Shai-Hulud 2.0 supply chain attack: reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.
Analysis Summary
# Incident Report: Shai-Hulud 2.0 Supply Chain Worm Spread
## Executive Summary
The Shai-Hulud 2.0 incident is an ongoing supply chain attack, characterized by its sustained activity longer than previous worms. Attackers utilized malicious packages across ecosystems, primarily targeting NPM, but with confirmed spillover into OpenVSX and the Java/Maven ecosystem via automated mirroring. The primary impact is the exfiltration of secrets, predominantly from Linux-based CI/CD runners, which are then used to propagate the worm by creating new repositories beaconing the exfiltration.
## Incident Details
- Discovery Date: November 24, 2025 (when news first broke)
- Incident Date: Began sometime prior to November 24, 2025
- Affected Organization: Multiple organizations across various ecosystems (NPM, AsyncAPI, Maven)
- Sector: Technology/Software Development
- Geography: Global (based on ecosystem targeting)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing since detection on Nov 24, 2025, with spikes observed up to Dec 1, 2025.
- Vector: Poisoned software packages/dependencies (NPM, AsyncAPI IDE extension, Maven mirroring).
- Details: The worm spreads via compromised releases/packages. When local credentials fail, it searches for prior victim repositories using the beacon string `"Sha1-Hulud: The Second Coming."` to steal credentials and upload new artifacts.
### Lateral Movement
- Details: Attackers move by leveraging stolen GitHub credentials from previous victims to upload new malicious repositories under those compromised accounts, effectively using existing infrastructure to spread the worm.
### Data Exfiltration/Impact
- Details: Exfiltration appears to be primarily centered on credential theft. Approximately 24,000 `environment.json` files containing system information and *GitHub credentials* were retrieved from compromised repositories. An OpenVSX API key was also exfiltrated.
### Detection & Response
- Date/Time: Response initiated immediately after news broke on November 24, 2025. Ongoing as of December 1, 2025.
- Details: Wiz Research and Wiz CIRT have been actively tracking and responding. Analysis involves pairing GitHub API data with GHArchive for comprehensive dataset creation.
## Attack Methodology
- Initial Access: Malicious package injection (NPM, AsyncAPI extension, Maven Mirroring).
- Persistence: Not explicitly detailed, but propagation relies on establishing new infection vectors across ecosystems.
- Privilege Escalation: Not explicitly detailed, but the core function involves accessing and using stolen GitHub credentials.
- Defense Evasion: Implied by the sustained activity; success in leveraging CI/CD runners suggests evasion of standard developer machine controls.
- Credential Access: Stealing GitHub credentials from compromised hosts (likely environment variables or configuration files on build systems).
- Discovery: System fingerprinting via the contents of the installed malware (`environment.json`) revealed details about the victim OS and environment type.
- Lateral Movement: Using stolen credentials to create new repositories; searching for existing compromised accounts using a beacon string.
- Collection: Gathering system information (`environment.json`) and credentials on the infected host.
- Exfiltration: Uploading data to newly created or existing (compromised) GitHub repositories containing the exfiltration beacon.
- Impact: Credential theft and supply chain compromise leading to cross-ecosystem infection spread.
## Impact Assessment
- Financial: Not explicitly detailed, but implied by response efforts and remediation costs.
- Data Breach: High-value sensitive data, specifically **GitHub credentials** and one **OpenVSX API key**, exfiltrated (data volume >20,000 unique system profiles). Data stolen from systems running on Linux containers/CI/CD runners.
- Operational: Sustained infection spread over several days shows operational resilience for the attacker.
- Reputational: Significant damage to trust in multiple software package ecosystems (NPM, Maven, OpenVSX).
## Indicators of Compromise
- Network Indicators: (No specific IPs/URLs provided, but communication occurs via GitHub API uploads).
- File Indicators: Presence of file containing exfiltrated data with the string `"Sha1-Hulud: The Second Coming."`.
- Behavioral Indicators: Creation of new public GitHub repositories by compromised accounts; prevalence of infections on CI/CD runners (especially GitHub Actions).
## Response Actions
- Containment measures: (Implied community/vendor actions to delist malicious packages, though not detailed in this summary excerpt).
- Eradication steps: (Referenced prior blog post for detailed response recommendations).
- Recovery actions: (Ongoing effort to track spread and mitigate newly identified victims/compromised accounts).
## Lessons Learned
- Supply chain attacks remain active for prolonged periods (Shai-Hulud 2.0 lasted over 6 days with continued activity).
- Automated cross-ecosystem mirroring (e.g., NPM to Maven) allows rapid, uncontrolled spread once a payload is released.
- CI/CD runners are the dominant target, representing 77% of infections observed in the analysis corpus.
- The use of a specific string as an operational beacon facilitates tracking exfiltration patterns.
## Recommendations
- Implement strict credential scanning and management for CI/CD environments, recognizing that secrets stored on Linux containers are prime targets.
- Enhance vigilance across multiple package ecosystems as automated mirroring ensures vulnerability spillover.
- Improve detection mechanisms for unusual repository creation patterns originating from previously dormant or compromised accounts.