The second wave of the Shai-Hulud provide chain assault has spilled over to the Maven ecosystem after compromising greater than 830 packages within the npm registry.
The Socket Analysis Group mentioned it recognized a Maven Central bundle named org.mvnpm:posthog-node:4.18.1 that embeds the identical two parts related to Sha1-Hulud: the “setup_bun.js” loader and the primary payload “bun_environment.js.”
“This implies the PostHog challenge has compromised releases in each the JavaScript/npm and Java/Maven ecosystems, pushed by the identical Shai Hulud v2 payload,” the cybersecurity firm mentioned in a Tuesday replace.
It is value noting that the Maven Central bundle shouldn’t be revealed by PostHog itself. Reasonably, the “org.mvnpm” coordinates are generated by way of an automatic mvnpm course of that rebuilds npm packages as Maven artifacts. The Maven Central mentioned they’re working to implement additional protections to stop already identified compromised npm parts from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged.
The event comes because the “second coming” of the availability chain incident has focused builders globally with an goal to steal delicate knowledge like API keys, cloud credentials, and npm and GitHub tokens, and facilitate deeper provide chain compromise in a worm-like vogue. The most recent iteration has additionally advanced to be extra stealthy, aggressive, scalable, and harmful.
In addition to borrowing the general an infection chain of the preliminary September variant, the assault permits menace actors to realize unauthorized entry to npm maintainer accounts and publish trojanized variations of their packages. When unsuspecting builders obtain and run these libraries, the embedded malicious code backdoors their very own machines and scans for secrets and techniques and exfiltrates them to GitHub repositories utilizing the stolen tokens.
The assault accomplishes this by injecting two rogue workflows, one in all which registers the sufferer machine as a self-hosted runner and permits arbitrary command execution every time a GitHub Dialogue is opened. A second workflow is designed to systematically harvest all secrets and techniques. Over 28,000 repositories have been affected by the incident.
“This model considerably enhances stealth by using the Bun runtime to cover its core logic and will increase its potential scale by elevating the an infection cap from 20 to 100 packages,” Cycode’s Ronen Slavin and Roni Kuznicki mentioned. “It additionally makes use of a brand new evasion approach, exfiltrating stolen knowledge to randomly named public GitHub repositories as a substitute of a single, hard-coded one.”
The assaults illustrate how trivial it’s for attackers to reap the benefits of trusted software program distribution pathways to push malicious variations at scale and compromise hundreds of downstream builders. What’s extra, the self-replication nature of the malware means a single contaminated account is sufficient to amplify the blast radius of the assault and switch it right into a widespread outbreak in a brief span of time.
Additional evaluation by Aikido has uncovered that the menace actors exploited vulnerabilities, particularly specializing in CI misconfigurations in pull_request_target and workflow_run workflows, in present GitHub Actions workflows to drag off the assault and compromise initiatives related to AsyncAPI, PostHog, and Postman.
The vulnerability “used the dangerous pull_request_target set off in a means that allowed code equipped by any new pull request to be executed through the CI run,” safety researcher Ilyas Makari mentioned. “A single misconfiguration can flip a repository right into a affected person zero for a fast-spreading assault, giving an adversary the power to push malicious code by automated pipelines you depend on daily.”
It is assessed that the exercise is the continuation of a broader set of assaults focusing on the ecosystem that commenced with the August 2025 S1ngularity marketing campaign impacting a number of Nx packages on npm.
“As a brand new and considerably extra aggressive wave of npm provide chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback harmful habits, making it one of the vital impactful provide chain assaults of the yr,” Nadav Sharkazy, a product supervisor at Apiiro, mentioned in a press release.
“This malware reveals how a single compromise in a preferred library can cascade into hundreds of downstream purposes by trojanizing official packages throughout set up.”
Knowledge compiled by GitGuardian, OX Safety, and Wiz reveals that the marketing campaign has leaked a whole lot of GitHub entry tokens and credentials related to Amazon Net Companies (AWS), Google Cloud, and Microsoft Azure. Greater than 5,000 recordsdata have been uploaded to GitHub with the exfiltrated secrets and techniques. GitGuardian’s evaluation of 4,645 GitHub repositories has recognized 11,858 distinctive secrets and techniques, out of which 2,298 remained legitimate and publicly uncovered as of November 24, 2025.
Customers are suggested to rotate all tokens and keys, audit all dependencies, take away compromised variations, reinstall clear packages, and harden developer and CI/CD environments with least-privilege entry, secret scanning, and automatic coverage enforcement.
“Sha1-Hulud is one other reminder that the trendy software program provide chain remains to be means too straightforward to interrupt,” Dan Lorenc, co-founder and CEO of Chainguard, mentioned. “A single compromised maintainer and a malicious set up script is all it takes to ripple by hundreds of downstream initiatives in a matter of hours.”
“The strategies attackers are utilizing are continually evolving. Most of those assaults do not depend on zero-days. They exploit the gaps in how open supply software program is revealed, packaged, and pulled into manufacturing programs. The one actual protection is altering the best way software program will get constructed and consumed.”
