Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact

Shai-Hulud 2.0 is an active, large-scale supply-chain worm that compromised npm packages and GitHub repositories to harvest CI/GitHub credentials and thousands of secrets, producing over 30,000 exposed repositories and roughly 24,000 environment.json files; attackers leveraged compromised tokens to spread across victims and mirrored artifacts into other ecosystems (e.g., Maven/OpenVSX). The report details infection trends, predominant vectors (@postman/tunnel-agent-0.6.7 and @asyncapi/specs-6.8.3), victimology (majority Linux containers and CI runners such as GitHub Actions), the noisy but substantial corpus of leaked secrets (including many still-valid tokens), and timelines and mitigations from impacted vendors and the security community.