The second wave of the Shai-Hulud supply chain attack spilled over into the Maven ecosystem after compromising over 830 packages in the npm registry.
The Socket Research Team said it has identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that includes the same two components related to Sha1-Hulud: the “setup_bun.js” loader and the main payload “bun_environment.js.”
“This means that the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems with the same Shai Hulud v2 payload,” the cybersecurity firm said in an update on Tuesday.
Note that Maven Central packages are not published by PostHog itself. Rather, the “org.mvnpm” coordinates are generated through an automated mvnpm process that rebuilds npm packages as Maven artifacts. Maven Central said it is working on implementing additional protections to prevent already known compromised npm components from being rebundled. As of November 25, 2025 22:44 UTC, all mirrored copies have been purged.
The development comes as a “resurgence” of supply chain incidents targets developers around the world with the aim of stealing sensitive data such as API keys, cloud credentials, npm and GitHub tokens, and facilitating deeper compromises of the supply chain in a worm-like manner. The latest version has evolved to be more stealthy, aggressive, scalable, and destructive.
In addition to borrowing the entire infection chain of the original September variant, this attack also allows attackers to gain compromised access to npm maintainer accounts and publish trojanized versions of packages. When an unsuspecting developer downloads and runs these libraries, the embedded malicious code opens a backdoor into their machine, scans for secrets, and uses stolen tokens to exfiltrate them into a GitHub repository.
The attack accomplishes this by injecting two malicious workflows. One of them registers the victim’s machine as a self-hosted runner, allowing it to execute arbitrary commands whenever a GitHub discussion is opened. The second workflow is designed to collect all secrets systematically. This incident affected over 28,000 repositories.
Ronen Slavin and Roni Kuznicki of Cycode said, “This version significantly enhances stealth by utilizing the Bun runtime to hide core logic, and increases potential scale by increasing the infection limit from 20 to 100 packages.” “New evasion techniques are also used to exfiltrate stolen data into randomly named public GitHub repositories rather than a single hard-coded repository.”
This attack shows how easy it is for attackers to leverage trusted software distribution channels to push malicious versions at scale, putting thousands of downstream developers at risk. Furthermore, due to the self-replicating nature of this malware, even a single infected account can increase the scope of the attack, potentially leading to a widespread outbreak in a short period of time.
Further analysis by Aikido revealed that threat actors exploited vulnerabilities and specifically focused on CI misconfigurations in the pull_request_target and workflow_run workflows of existing GitHub Actions workflows to conduct attacks and compromise projects related to AsyncAPI, PostHog, and Postman.
Security researcher Ilyas Makari said the vulnerability “leveraged a dangerous pull_request_target trigger to allow code provided by a new pull request to be executed during a CI run.” “A single misconfiguration can turn a repository into patient zero for a rapidly spreading attack, allowing attackers to push malicious code through the automated pipelines they routinely rely on.”
This activity is assessed as a continuation of a broader series of attacks targeting the ecosystem, starting with the S1ngularity campaign in August 2025 that affected several Nx packages on npm.
“Shai-Hulud 2 is a new and highly aggressive wave of npm supply chain malware that combines stealth execution, wide credential breadth, and destructive behavior with fallbacks, making it one of the most impactful supply chain attacks this year,” Nadav Sharkazy, product manager at Apiiro, said in a statement.
“By Trojanizing legitimate packages during installation, this malware demonstrates how a compromise of one popular library can spread to thousands of downstream applications.”
Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign compromised hundreds of GitHub access tokens and credentials related to Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. Over 5,000 files containing leaked secrets were uploaded to GitHub. GitGuardian’s analysis of 4,645 GitHub repositories identified 11,858 unique secrets, of which 2,298 remain valid and publicly available as of November 24, 2025.
We recommend that users rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden their developer and CI/CD environments with least privilege access, secret scanning, and automatic policy enforcement.
“Sha1-Hulud is yet another reminder that modern software supply chains are still far too easy to break,” said Dan Lorenc, co-founder and CEO of Chainguard. “It only takes one compromised maintainer and a malicious installation script to spread to thousands of downstream projects in a matter of hours.”
“The techniques used by attackers are constantly evolving. Most of these attacks do not rely on zero-days. They exploit gaps in the way open source software is published, packaged, and incorporated into production systems. The only real defense is to change the way software is built and used.”
