Defending Against Sha1-Hulud: The Second Coming

**Shai-Hulud Worm 2.0 — SentinelOne Wayfinder Flash Report (25 Nov 2025):** This report describes an active NPM supply-chain campaign that executes during the preinstall phase to deploy an obfuscated JavaScript payload (bun_environment.js), harvest AWS/GCP/Azure and development secrets (via Trufflehog), and persist by auto-registering self-hosted GitHub Actions runners and writing malicious workflow/discussion entries; it includes IOCs, detection rules, hunting queries, and immediate remediation recommendations.