Shai-Hulud 2.0: Inside The Second Coming, the most Aggressive npm Supply Chain Attack of 2025 

The Shai-Hulud 2.0 campaign, referred to by its operators as The Second Coming, is one of the most extensive and fast moving npm supply chain attacks observed in recent years. Between 21 and 23 November 2025, the attackers compromised hundreds of npm packages and more than 25,000 GitHub repositories in only a few hours. Unlike traditional malware that activates after installation, this campaign abuses the npm preinstall lifecycle script, allowing the malicious payload to run before installation completes and even when installation fails. 

Check Point researchers analyzed a large set of the attacker created repositories and confirmed that the campaign led to the exposure of multi cloud and developer credentials at significant scale. Out of approximately 20,000 repositories reviewed, the following credentials were verified as exposed: 

• 775 GitHub access tokens 

• 373 AWS credentials 

• 300 GCP credentials 

• 115 Azure credentials 

While many entries were duplicates resulting from multiple executions in identical CI and CD environments, there was still a substantial number of valid and sensitive secrets, illustrating the wide impact of this incident. 

Timeline of the campaign 

September 2025: The first Shai-Hulud attack appears, compromising npm libraries and resulting in the theft of approximately 50 million dollars in cryptocurrency. 

21 to 23 November 2025: The new wave begins. Attackers introduce expanded payloads, new propagation methods and broader automation. 

24 November 2025: Security vendors begin publishing alerts confirming widespread compromise across npm, CI and CD environments. 

How the Shai-Hulud attack works 

The infection starts with trusted or lookalike npm packages that are either hijacked or maliciously published. Once a developer installs an affected package, the malicious code executes during the preinstall step, giving the attacker early access inside the development or build environment. 

The payload consists of two main components: 

• setup_bun.js, which installs the Bun runtime 
• bun_environment.js, which executes the core malicious logic 

Using Bun instead of Node.js is an intentional evasion technique. Most security tools and sandboxes are optimized to track Node.js behavior, which makes Bun an attractive way to operate outside common detection paths. 

Once executed, the malware enumerates environment variables, SSH keys, GitHub tokens, npm tokens, CI and CD variables and cloud credentials across AWS, Azure and GCP. These secrets are collected into structured JSON files such as cloud.json, environment.json and actionsSecrets.json. 

Instead of communicating with external command and control servers, the attackers exfiltrate the stolen data to GitHub. They create public repositories labelled Sha1-Hulud: The Second Coming and upload the stolen secrets directly into them. This technique blends malicious activity into legitimate GitHub API traffic and makes identification significantly more difficult. 

The malware then establishes persistence. It registers infected systems as self hosted GitHub runners, enabling attackers to execute arbitrary workflows remotely. In addition, rogue workflow files can be inserted into victim repositories to maintain long term access, even if the compromised package is later removed. The malware also includes a destructive failsafe mechanism capable of wiping local files when it detects containment or analysis. Propagation is partially automated. Stolen credentials are used to publish new malicious npm packages or create new GitHub repositories, producing a worm like expansion across the JavaScript ecosystem. 

Impact 

The scale of exposure is substantial. The campaign resulted in: 

• 621 infected npm packages 

• 25,000 compromised GitHub repositories 

• 487 affected GitHub organizations 

• 14,206 leaked secrets, including 2,485 that remained valid 

The types of exposed data include GitHub and npm tokens, SSH keys, cloud provider credentials and CI and CD secrets. Affected ecosystems span crypto related libraries, workflow automation tools and a range of development platforms. 

The campaign shows how easily a dependency level compromise can escalate into full multi cloud access, long term developer identity exposure and widespread infiltration of CI and CD workflows. 

Recommended steps 

Organizations using npm should assume possible exposure and take immediate action: 

• Audit dependency manifests and lockfiles 

• Remove compromised packages and reinstall from trusted sources 

• Clear the npm cache 

• Rotate all secrets used in development and CI and CD environments 

• Inspect GitHub runners and delete any unauthorized or unknown entries 

• Remove rogue workflow files where present 

Preventive measures 

• Enforce MFA on all GitHub and npm accounts 

• Monitor for unexpected repositories created within GitHub organizations 

• Apply SBOM based scanning and integrity checks 

• Strengthen CI and CD isolation and secret handling policies