Return of the Shai-Hulud worm affects over 25,000 GitHub repositories

On 2025-11-24 Sysdig Threat Research Team published an analysis of the second-wave Shai-Hulud worm, a supply-chain malware campaign that backdoored nearly 1,000 NPM packages to steal NPM/GitHub/cloud credentials, exfiltrate secrets to attacker-controlled GitHub repositories, install self-hosted GitHub Actions runners as persistent backdoors, and—when no NPM token is present—shred user files; the report details technical indicators, propagation and execution (preinstall scripts using bun and large obfuscated payloads), secret harvesting (AWS/GCP/Azure/TruffleHog), cleanup behavior, detection rules, and remediation recommendations (remove compromised packages, rotate tokens, audit CI/CD and repositories).