Shai-Hulud 2.0 Breach Exposes 400,000 Secrets After Massive NPM Supply-Chain Attack

 

The second wave of the Shai-Hulud malware attack last week led to the exposure of nearly 400,000 raw secrets after compromising hundreds of NPM (Node Package Manager) packages and leaking stolen data across more than 30,000 GitHub repositories.

While only around 10,000 of those secrets were confirmed as valid using the TruffleHog open-source scanning tool, cloud security company Wiz reports that over 60% of the NPM tokens leaked in this incident were still active as of December 1st.

Shai-Hulud first surfaced in mid-September, infecting 187 NPM packages with a worm-like payload. The malware scanned systems for account tokens using TruffleHog, injected a harmful script into the targeted packages, and then automatically republished them.

In the latest attack, the threat escalated—impacting more than 800 packages (including all affected versions) and adding a destructive feature capable of wiping a victim’s home directory under specific conditions.

During their review of the secrets spilled by Shai-Hulud 2.0 into over 30,000 GitHub repositories, Wiz researchers found several types of sensitive files exposed:

• About 70% of repositories contained a contents.json file with GitHub usernames, tokens, and file snapshots

• Around 50% stored truffleSecrets.json with TruffleHog scan results

• Nearly 80% included environment.json, which revealed OS details, CI/CD metadata, npm package information, and GitHub credentials

• 400 repositories had actionsSecrets.json, exposing GitHub Actions workflow secrets

Wiz notes that the malware used TruffleHog without the --only-verified flag, meaning the full set of 400,000 leaked secrets only matched valid formats—they weren’t necessarily functional. Even so, the dataset still contained active credentials.

“While the secret data is extremely noisy and requires heavy deduplication efforts, it still contains hundreds of valid secrets, including cloud, NPM tokens, and VCS credentials,” Wiz explained.

“To date, these credentials pose an active risk of further supply chain attacks. For example, we observe that over 60% of leaked NPM tokens are still valid.”

From the 24,000 environment.json files analyzed, nearly half were unique. About 23% originated from developer machines, with the remainder linked to CI/CD systems or similar automated environments.

The investigation also showed that 87% of compromised machines were running Linux, and 76% of infections occurred within containerized environments. Among CI/CD services, GitHub Actions was the most affected, followed by Jenkins, GitLab CI, and AWS CodeBuild.

When examining which packages were hit hardest, Wiz identified @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 as the most impacted—together accounting for over 60% of all infections. Researchers believe the overall damage could have been significantly reduced if these key packages had been flagged and taken down early.

The infection pattern also revealed that 99% of attacks triggered during the preinstall event, specifically through the node setup_bun.js script. The few anomalies observed were likely test runs.

Wiz warns that the operators behind Shai-Hulud are likely to continue refining their methods. The team expects more waves of supply-chain attacks powered by the extensive trove of leaked credentials gathered so far.