Bun and done: The second coming of the Shai-Hulud worm

On November 24, 2025 the "Shai-Hulud: The Second Coming" worm compromised hundreds of npm packages, deploying Bun-based payloads (e.g., `setup_bun.js`, `bun_environment.js`) that used TruffleHog to steal cloud access keys, GitHub tokens, and npm tokens and exfiltrated them to public GitHub repositories; stolen credentials were then used to self-propagate and the campaign included a destructive fallback to delete user home directories. The report details detection methods, containment recommendations (remove affected packages, rotate credentials, check for exposed repos), and analytics developed during response, with detections subsiding by November 26.