Shai-Hulud V2 Poses Risk to NPM Supply Chain

Shai-Hulud V2 is a highly capable npm supply-chain worm that executes via preinstall hooks using the Bun runtime, harvests tokens and cloud credentials from developer and CI/CD environments, exfiltrates stolen data to attacker-owned GitHub repositories, propagates by publishing infected npm packages with stolen tokens, installs self-hosted GitHub Actions runners as persistent backdoors, and includes a dead-man switch to destruct data; the report provides detailed technical analysis, code snippets, and operational impacts.