Shai-Hulud 2.0: The Self-Replicating NPM Worm That Infected 796 Packages

The npm ecosystem just experienced one of its most sophisticated supply chain attacks to date. Dubbed "Shai-Hulud 2.0" by the security community, this self-replicating worm has successfully infiltrated hundreds of legitimate packages, stealing credentials, setting up backdoors, and propagating itself without any centralized command-and-control infrastructure.

What makes this attack particularly dangerous is its autonomous nature—once infected, the malware can spread to other packages automatically, creating a cascading effect across the entire npm ecosystem. Here's everything developers and security teams need to know about this threat.

What Is Shai-Hulud 2.0?

Shai-Hulud 2.0 is the second iteration of a self-replicating npm worm first discovered in September 2025. Unlike traditional malware that requires ongoing communication with attacker-controlled servers, this worm is designed to operate autonomously once it infects a system.

The attack works by injecting two malicious files into legitimate npm packages:

• setup_bun.js - The initial infection vector
• bun_environment.js - The obfuscated payload

These files are triggered automatically via a malicious preinstall script that executes whenever someone installs the infected package. By the time you realize something is wrong, the damage may already be done.

The Scale of the Attack

The numbers behind this attack are staggering:

These figures represent a lower bound based on publicly available data. The actual impact is likely significantly higher, as many compromised credentials may not have been discovered yet. The attack affected developers across over 150 unique GitHub organizations, indicating widespread enterprise exposure.

How the Attack Works: A Technical Breakdown

Understanding the attack mechanism is crucial for both detection and prevention. The malware operates in five distinct stages:

Stage 1: Evasion Through Bun Runtime

The first clever trick the malware employs is installing and using the Bun JavaScript runtime instead of Node.js. This serves two purposes:

• It evades security monitoring tools specifically configured to watch Node.js processes
• It provides a fresh execution environment that may bypass sandboxing or containerization measures

Once Bun is installed, the malware uses it to execute heavily obfuscated payloads that are difficult to analyze statically.

Stage 2: Comprehensive Credential Harvesting

This is where the malware shows its sophistication. It doesn't just look for obvious credential files—it implements a multi-pronged approach to steal as many secrets as possible:

This comprehensive approach means that whether you're running on a developer laptop, a CI/CD pipeline, or a cloud-based serverless function, the malware can likely find and steal your credentials.

Stage 3: GitHub-Based Exfiltration with a Twist

The exfiltration mechanism is where things get really interesting. The malware's primary method is to create a new public GitHub repository using the victim's stolen GitHub credentials. This repository has a distinctive marker—a description reading "Sha1-Hulud: The Second Coming."

But here's the clever part: if the malware can't find GitHub credentials on the infected machine, it doesn't give up. Instead, it searches GitHub for other repositories with that same distinctive description and steals credentials from those repositories to use for its own exfiltration.

Stage 4: Self-Hosted GitHub Runner for Persistent Access

To maintain persistent access to compromised machines, the malware sets up a self-hosted GitHub Actions runner. This is particularly insidious because:

• It uses legitimate GitHub infrastructure, making it harder to detect as malicious traffic
• It allows the attacker to execute arbitrary code on the victim's machine using GitHub's native workflow features
• It doesn't require opening inbound firewall ports or establishing reverse shells
• Security teams may overlook it as legitimate DevOps automation

Stage 5: Autonomous Self-Propagation

This is what makes Shai-Hulud 2.0 a true worm rather than just malware. Once it has compromised a developer's machine and stolen their npm credentials, it automatically:

1. Identifies up to 100 packages published by that developer
2. Reads its own malicious code from the infected package (no C&C server needed!)
3. Injects that code into the victim's other packages
4. Publishes new versions of those packages to npm

This self-replication happens automatically without any attacker intervention, allowing the worm to spread exponentially across the npm ecosystem.

How to Detect If You're Affected

Early detection is critical. Here are the key indicators of compromise (IOCs) you should check immediately:

Immediate Response Steps If You're Compromised

If you discover you've been affected, time is of the essence. Follow these steps in order:

Long-Term Prevention Strategies

Preventing future supply chain attacks requires a multi-layered security approach:

The Bigger Picture: Supply Chain Security in 2025

The Shai-Hulud 2.0 attack represents a significant evolution in supply chain threats. Unlike previous attacks that relied on typosquatting or social engineering to get malicious packages published, this worm compromises legitimate, trusted packages that developers already use.

What makes this particularly concerning is the autonomous nature of the attack. Traditional malware campaigns require ongoing attacker involvement, but self-replicating worms can spread exponentially without any human intervention. Once released, they become nearly impossible to fully contain.

The npm ecosystem's response has been swift—evidence suggests that npm implemented measures to prevent further package infections around 6 PM UTC on November 24, 2025. However, the damage from already-infected packages will take months to fully remediate as developers update their dependencies and rotate compromised credentials.

Conclusion: Staying Vigilant in an Evolving Threat Landscape

The Shai-Hulud 2.0 worm is a wake-up call for the entire JavaScript ecosystem. With 796 packages compromised and over 20 million weekly downloads affected, this attack demonstrates that supply chain security can no longer be an afterthought.

The good news is that the security community responded quickly, and npm took action to limit the spread. The bad news is that this won't be the last attack of its kind. As package ecosystems grow and become more interconnected, they become increasingly attractive targets for sophisticated attackers.

The key to resilience isn't preventing every attack—that's impossible. Instead, it's about building systems that can detect compromises quickly, contain damage effectively, and recover rapidly. Organizations that invest in supply chain security today will be the ones that survive the inevitable attacks of tomorrow.