Return of Shai-Hulud: The “Second Coming” of the NPM Supply Chain Compromise

On Nov 21–25, 2025 security vendors reported Shai-Hulud 2.0, a supply-chain campaign that compromised multiple popular npm packages (including packages tied to Zapier, ENS Domains, PostHog, and Postman). The malicious package code injects GitHub workflows that exfiltrate system and cloud secrets (AWS/GCP/Azure) — encoding collected data and committing it to public GitHub repositories — and contains destructive routines to overwrite and delete user files if GitHub/NPM tokens are not found; researchers observed environment dumps containing sensitive values and vendors were actively removing repositories.