Full Report
The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) registry and publishing stolen data in 30,000 GitHub repositories. [...]
Analysis Summary
# Incident Report: Shai-Hulud 2.0 NPM Supply Chain Attack
## Executive Summary
The Shai-Hulud threat actor executed a second, more extensive wave of supply chain attacks targeting the NPM registry, infecting over 800 packages. This attack resulted in the exposure of approximately 400,000 raw development secrets, which were then published across 30,000 GitHub repositories. While much of the data was noisy, security researchers confirmed hundreds of valid, active secrets, including cloud credentials, posing an ongoing risk for further compromise.
## Incident Details
- Discovery Date: Sometime during the reporting period (second attack happened "last week" relative to Dec 2, 2025). Discovery confirmed by Wiz researchers.
- Incident Date: Relates to the second documented Shai-Hulud attack wave (following an initial attack in mid-September).
- Affected Organization: NPM Registry users; developers utilizing affected packages.
- Sector: Software Development / Open Source Ecosystem.
- Geography: Global impact due to the nature of the NPM registry.
## Timeline of Events
### Initial Access
- Date/Time: Preceded by an initial attack in mid-September; the second wave occurred "last week" before Dec 2, 2025.
- Vector: Compromise and poisoning of public NPM packages.
- Details: The malware was uploaded into hundreds of packages in the NPM registry. Infection was triggered via the `preinstall` event running `node setup_bun.js`.
### Lateral Movement
- Details: No explicit internal network lateral movement is described for the threat actor. The movement was lateral across the software supply chain: compromised packages spread to 800+ repositories, and stolen data was deposited across 30,000 GitHub repositories.
### Data Exfiltration/Impact
- Date/Time: Occurred post-infection upon package execution.
- Details: Affected systems (developer machines, CI/CD runners—87% Linux, 76% containers) executed the payload, which used TruffleHog to identify account tokens. Stolen data (including GitHub usernames, tokens, environment details, and CI/CD metadata) was published to new GitHub repositories.
### Detection & Response
- Date/Time: Ongoing analysis as of December 1st.
- Details: Wiz researchers analyzed the leaked data. The open-source TruffleHog tool verified approximately 10,000 secrets as potentially valid among the 400,000 exposed.
## Attack Methodology
- Initial Access: Compromised NPM packages containing a self-propagating malicious script.
- Persistence: Not explicitly detailed for the infrastructure, but the malware was designed to propagate via the supply chain.
- Privilege Escalation: Not specified, reliance was on environment context (e.g., running on CI/CD runners).
- Defense Evasion: Used noise generation (not using the `_only-verified` flag in TruffleHog) to mask valid credentials among volume.
- Credential Access: Used the TruffleHog scanning tool *within the victim environment* to identify and harvest account tokens and secrets.
- Discovery: Used TruffleHog to scan local file systems and environment variables for secrets meeting known patterns.
- Lateral Movement: Spread to over 800 NPM packages (including all versions) and published artifacts to 30,000 GitHub repositories.
- Collection: Collected various types of secrets, organized into files like `contents.json`, `truffleSecrets.json`, `environment.json`, and `actionsSecrets.json`.
- Exfiltration: Published collected data (secrets) directly to newly created GitHub repositories.
- Impact: Data disclosure, potential for follow-on attacks using harvested valid secrets.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Approximately 400,000 raw secrets exposed, including GitHub tokens, NPM tokens, cloud provider credentials, and CI/CD metadata. Over 60% of leaked NPM tokens remained valid post-discovery.
- Operational: Direct impact on developers and CI/CD pipelines running affected packages (e.g., `@postman/tunnel-agent` and `@asyncapi/specs`). Potential for significant supply chain disruption via subsequent unauthorized access.
- Reputational: Damage to the trust in the NPM ecosystem stability and security.
## Indicators of Compromise
- Network Indicators: N/A (Attack relied on self-publishing to GitHub).
- File Indicators: Presence of suspicious files in repository snapshots (e.g., `contents.json`, `truffleSecrets.json`, `environment.json`, `actionsSecrets.json`).
- Behavioral Indicators: Execution of `node setup_bun.js` during the `preinstall` event in NPM package installations.
## Response Actions
- Containment Measures: Not detailed in the article, but implicitly required de-publishing infected packages and invalidating leaked credentials.
- Eradication Steps: N/A (Focus of the article is on the analysis of the breach).
- Recovery Actions: N/A (Focus of the article is on the analysis of the breach).
## Lessons Learned
- Supply chain targeting remains a critical, high-impact vector.
- Focus on high-dependency packages leads to maximized impact (e.g., two packages accounted for 60%+ of infections).
- Automated secret scanning tools (like TruffleHog) utilized by attackers can effectively vacuum credentials from compromised build environments.
- Leakage through public platforms (GitHub) is a viable exfiltration method for attackers.
## Recommendations
- Developers must rigorously audit third-party packages, especially those with high download counts or core utility functions.
- Implement strict secrets management policies, ensuring secrets are never stored in source code or environment snapshots shared publicly.
- Organizations using CI/CD platforms (GitHub Actions, Jenkins, GitLab CI) must enforce immediate rotation of any credentials used within those environments following a supply chain compromise alert.
- Integrate automated secret scanning (ideally configured to **only verify**) into build pipelines to detect and neutralize potential credential leakage before it propagates.