Stories from the SOC: The second coming of Shai Hulud

This report details "Shai Hulud: The Second Coming," a large-scale NPM supply-chain malware campaign that executes via preinstall scripts to install a Bun-based payload which harvests cloud, registry, and VCS credentials (including via TruffleHog), exfiltrates stolen secrets to attacker-controlled public GitHub repositories, registers persistent self-hosted GitHub Actions runners for backdoor access, and self-propagates by publishing compromised package versions; the report includes indicators of compromise, observed scope (tens of thousands of repositories and hundreds of packages), and remediation guidance such as credential rotation, package cleanup, and CI hardening.