Shai-Hulud 2.0: When npm install Becomes a CI/CD Attack
· 4 min read
Between November 21 and 23, 2025, attackers compromised maintainer accounts to publish trojanized versions of popular npm packages. Unlike typical malware that might run quietly in the background, this variant is aggressively designed to harvest credentials and establish persistence within build environments.
What is Shai-Hulud 2.0?
Scale at a glance: ~700 npm packages linked to the campaign, 25k+ malicious GitHub repos auto-created, and large-scale secret leaks (GitHub tokens, AWS/GCP/Azure creds).