Shai-Hulud 2.0 demonstrates the danger of open source, expert says

YARMOUTH, Maine — Developers are picking up the pieces after the catastrophic release of the Shai-Hulud 2.0 malware worm in the Node Package Manager (NPM) registry. 

The worm infected thousands of repositories, exposing up to 400,000 developer secrets and wiping victims’ home directories. Its primary goal was to steal sensitive credentials, including GitHub Personal Access Tokens (PATs) and API keys for major cloud platforms like AWS, Google Cloud and Microsoft Azure. 

Microsoft, in a guidance update, called the supply chain attack “…one of the most significant cloud-native ecosystem compromises observed recently.” 

Joe Saunders, founder and CEO of RunSafe Security, warned of the broader implications: 

“Shai-Hulud v2 demonstrates how quickly a single point of compromise can snowball across ecosystems when automated build and publishing processes are left unprotected,” he said. “Attackers didn’t rely on novel zero-days — they exploited everyday CI and packaging workflows that most organizations assume are safe.” 

Although the worm’s spread has slowed, it remains an active threat, and experts like Saunders are uncertain how long it will persist. 

“Incidents like this highlight why the industry must shift from reacting to malware after distribution to preemptively hardening software at build-time,” he said. “By eliminating exploit reuse at the binary level and ensuring every artifact is uniquely protected, we can dramatically reduce the blast radius of these supply chain attacks.” 

As of press time, the attack had compromised 600 to 800 NPM packages and spawned 25,000 to 30,000 malicious GitHub repositories, impacting hundreds of thousands of developers. 

Guidance for detection and defending against the worm has been provided by Microsoft.