The Shai-Hulud 2.0 npm worm: analysis, and what you need to know

Datadog Security Labs documents the Shai-Hulud 2.0 npm worm (discovered Nov 24, 2025), a self-replicating supply-chain malware that backdoored 796 npm packages (over 20M weekly downloads) to harvest local and cloud credentials, exfiltrate them to public GitHub repositories labeled "Sha1-Hulud:The Second Coming.", install self-hosted GitHub runners for remote code execution, and propagate by publishing backdoored package versions; the report includes code excerpts, attack flow, observed hashes and indicators of compromise, and guidance for detection and mitigation.