What Is Shai-Hulud
ReversingLabs researchers detected a self-replicating worm on the npm open-source registry on September 15, 2025. The worm received the name Shai-Hulud from the public GitHub repository storing its malicious code.
Frank Herbert's Dune series fans will recognise Shai-Hulud as the giant sandworms of Arrakis. The name suited the malware well. The worm consumed tokens, keys, and private repositories while spreading through the open-source software ecosystem.
Shai-Hulud became the first successful self-propagating attack in the npm ecosystem and one of the most severe JavaScript supply chain attacks observed to date.
In May 2026, Microsoft Security Research identified a resurgence called Mini Shai-Hulud, compromising more than 170 npm packages and 2 PyPI packages across 404 malicious versions.
The campaign demonstrated that a single compromised developer account could automatically weaponise every package connected to that account and continue spreading without direct operator intervention.
How the Worm Works
The attack begins with a compromised developer account. The initial compromise typically comes through phishing campaigns impersonating npm authentication notifications.
On infected machines, Shai-Hulud searched for GitHub credentials, npm tokens, AWS keys, GCP credentials, SSH keys, and environment variable secrets.
The worm then authenticated into npm using stolen tokens, modified packages maintained by the victim developer, and republished malicious versions into the public registry.
It also created public GitHub repositories under compromised accounts and committed stolen credentials into them using encoded formats.
The malware additionally carried a dead man's switch mechanism that threatened destruction of the user's home directory if propagation failed.
How the Worm Evolved
The campaign rapidly evolved after the initial September 2025 wave.
JFrog Security Research confirmed a second wave containing 796 malicious packages with improved obfuscation and modified delivery mechanisms.
Shai-Hulud 2.0 moved execution from postinstall to preinstall scripts, allowing malicious execution before security testing completed.
The campaign compromised accounts linked to projects including Zapier, PostHog, and Postman.
Mini Shai-Hulud later expanded into the PyPI ecosystem, making it one of the first large-scale cross-registry supply chain worm campaigns.
How to Detect It
Microsoft Defender for Cloud introduced agentless code scanning capable of identifying known Shai-Hulud packages through Software Bill of Materials generation and package reputation lookups.
Teams should search for public repositories named Shai-Hulud or repositories containing migration-related naming patterns inside organisation accounts.
Security teams should additionally monitor:
- Unexpected outbound network calls during builds
- Suspicious child processes spawned from JavaScript applications
- Credential exposure inside public repositories
- Anomalous GitHub API activity
- Install-time dependency execution behaviour
How to Fix It If You Are Already Affected
Immediate containment begins with removing malicious dependencies and clearing cached packages.
All exposed credentials must be revoked and regenerated immediately:
- GitHub tokens
- npm tokens
- SSH keys
- AWS credentials
- API secrets
- Environment variable secrets
Affected CI/CD runners and developer workstations should be isolated pending investigation.
Access rights assigned to build pipelines and automation identities should be reduced immediately.
How to Prevent It
CISA recommended mandatory phishing-resistant multifactor authentication for GitHub and npm accounts together with immediate credential rotation.
Microsoft additionally recommended migration away from npm tokens toward trusted publishing workflows.
Organisations should enforce:
- Mandatory MFA for package publishing
- Dependency lifecycle script allowlists
- Continuous dependency monitoring
- Outbound network monitoring during builds
- Branch protection and secret scanning
- Repository webhook auditing
- Least privilege CI/CD permissions
The Bigger Picture
Shai-Hulud challenged a core assumption inside open-source ecosystems: trust in maintainers.
The software supply chain operates through inherited trust relationships. Once a maintainer account becomes compromised, every downstream consumer becomes exposed.
The campaign showed that software supply chain attacks no longer require direct targeting of enterprises. Compromising the ecosystem itself scales faster, spreads wider, and bypasses traditional perimeter assumptions.
Modern software supply chain security is no longer only about code quality. It is identity security, pipeline governance, package trust validation, and continuous monitoring operating together as one control system.