Skip to content
Now taking design partners.Roadmap →

npm · 2025

Shai-Hulud 2.0

Second wave of the Shai-Hulud npm worm. 796 packages backdoored via stolen maintainer credentials, self-propagates through the same postinstall pattern as wave 1.

Run this campaignScale: 796 npm packages, self-replicating worm

What happened

The Shai-Hulud worm returned in November 2025 with a materially larger blast radius than its September debut. The wave 2 outbreak backdoored 796 npm packages across the registry, republishing malicious versions of legitimate libraries under attacker-controlled maintainer sessions.

For context, the original wave in September 2025 hit roughly 200 packages and around 500 versions before npm and OpenSSF coordinated takedowns. Wave 2 resurfaced the same mechanic with new tooling and, crucially, better handling of the two-factor gate that slowed the September outbreak.

How it propagated

Shai-Hulud is a proper worm, not a one-shot supply-chain compromise. Each backdoored package ships a postinstall script that harvests credentials from the host that installs it. npm tokens in ~/.npmrc, GitHub PATs from gh CLI config, cloud CLI profiles, SSH keys. Those tokens are then used to authenticate to npm and republish tainted versions of any package the compromised maintainer owns. Every install becomes a potential re-publisher. The result is a compounding curve rather than a fixed victim count.

What Drig sees

The lang_pkg collector inventories package.json, package-lock.json, yarn.lock, and pnpm-lock.yaml across every enrolled endpoint and streams package + version + hash. The signed catalog lists every affected version range; retro-match runs the campaign template across current fleet state without a rescan on the endpoint. Exposed hosts appear in the console with the tainted version pinned and the install-source path.

Rotation checklist

  • Revoke every npm token issued to affected machines (npm token revoke).
  • Cycle GitHub personal access tokens and OAuth app tokens on the same hosts.
  • Rotate SSH keys and cloud CLI credentials that were resident during the exposure window.
  • Force IdP re-authentication for the developer identities involved.
  • Rebuild lockfiles from a clean base after upstream versions are restored.

Sekeye ships Shai-Hulud 2.0 as a signed campaign template. When wave 3 arrives, and worm ecosystems suggest it will, retro-match catches current fleet state against the new IOC set without a Drig release.