Return of the Shai-Hulud worm affects over 25,000 GitHub repositories

Sysdig Threat Research details the second coming of the Shai-Hulud worm: a supply-chain NPM malware campaign that has trojaned ~800–1,000 packages and exfiltrated credentials from tens of thousands of GitHub repositories. The worm executes during package installation, steals tokens and cloud/GitHub secrets, attempts to republish/propagate via NPM, installs self-hosted GitHub Actions runners as a backdoor, and can irreversibly shred user files if propagation fails; the report includes code excerpts, detection rules, and remediation recommendations.