Inside Shai-Hulud’s Maw: How The NPM Worm Exploits And Propagates

This report analyzes the Shai-Hulud NPM worm and its evolved variant “The Second Coming,” describing how the malware steals developer credentials and cloud secrets, propagates through injected package scripts and GitHub workflows, exfiltrates data to attacker-controlled repositories, tampers with host/network security, and installs a self-hosted GitHub Actions runner as a persistent backdoor; the second version adds stronger obfuscation, broader cloud targeting (including Azure), destructive fallback (wiping user profiles), and privilege-escalation/network tampering behaviors.