Banks, Governments, Fortune 500 Tech: Inside the Environments Compromised by Shai Hulud 2.0

Peleg Cabra, Director of Product Marketing

November 27, 2025

Reclaim control over your non-human identities

Get updates

All secret security right in your inbox

Ever since it was discovered on November 24, 2025, Shai Hulud 2.0 has mostly been described by researchers as an npm supply chain worm that spawned thousands of GitHub repositories and scraped millions of secrets into secrets.json files. That view focuses on where the data ended up, not where it came from.

Entro researchers analyzed over 30,000 Shai Hulud 2.0 repos and tied exfiltrated data to 1,195 organizations, including major banks, governments, and Fortune 500 tech. In multiple cases, high-value cloud and CI credentials were still valid more than 72 hours after public disclosure. By decoding double-base64-encoded payloads in environment.json and related files, we were able to reconstruct these environments, tie them to specific machines and users, and validate that highly sensitive credentials remain usable.

Reframing Sha1-Hulud: Who Was Actually Compromised

Most early writeups describe Shai Hulud 2.0 as an npm supply chain malware that “exposed thousands of GitHub repositories” and dumped secrets into secrets.json files. That wording quietly implies the primary victims were the repos themselves, and that the problem lived mostly in source control. Our analysis points elsewhere. The GitHub repositories linked to Shai Hulud 2.0 were primarily a collection and exfiltration layer: a place where the malware aggregated what it had already taken from CI pipelines, developer endpoints, and cloud-connected machines. The assets actually exposed were the runtime environments, their in-memory secrets, and their local configuration, not the repositories used to store the loot.

In the rest of this report, when we refer to “victims,” we are talking about those environments and the organizations behind them, not just the attacker-controlled repos where the data eventually landed.

Key Findings

Banks, Governments, and Fortune 500 companies are affected
30,000+ attacker-controlled repos cloned before takedown
1,195 organizations identified across tech, finance, government, healthcare
55.7% of affected orgs are technology/SaaS companies
Valid cloud and CI credentials observed up to 72+ hours after disclosure

Aftermath: Attributing Compromised Machines to Target Organizations

Before GitHub began removing the attacker-controlled repos, we analyzed roughly 30,000 Shai Hulud 2.0 repos. From this dataset, we were able to attribute a significant portion of the compromised environments to real business entities rather than anonymous hobby projects.

Attribution was based on multiple independent signals extracted from decoded environment.json payloads and related files, including:

Email domains and tenant identifiers embedded in environment variables and configuration
Internal hostnames, service names, and URL patterns characteristic of specific organizations or sectors
Validation of a limited, ethically selected subset of secrets to confirm they mapped to live systems

Aggregating these signals, we built a sector-level view of the victims: financial institutions, government and public-sector bodies, and large technology and SaaS providers accounted for the majority of attributable environments. The accompanying chart (Figure 1) breaks down the affected machines by vertical and shows absolute counts per industry.

Figure 1: Aggregating these signals, we built a sector-level view of the victims

Technology and SaaS companies account for 647 out of 1,195 organizations (~55%), followed by healthcare (38), financial services and banking (53 combined), insurance (26), media (21), telecom (20), logistics (15) and a long tail of other verticals, including government, education, manufacturing, real estate, aviation and retail.

Because GitHub has since started to remove these repositories (new repos still pop up), much of the original evidence is no longer accessible to defenders. This is precisely why we chose to publish our findings and begin a responsible disclosure process: to give affected organizations enough context to react, and to help the broader community understand that Shai Hulud 2.0 reached deep into CI pipelines, endpoints, and cloud assets.

The scale and the types of the organizations we see here are alarming, and they show how effective this campaign actually is. In the next section, we illustrate this with two concrete examples from the compromised environments.

Two Examples from Shai Hulud-Compromised Environments

On each compromised machine, Shai Hulud 2.0 wrote a small bundle of JSON artifacts that captured different slices of the environment. The directory below shows a typical exfil set from a single machine, although not every dump contains all 5 files:

environment.json: a runtime environment dump (including the double-encoded memory snapshot)
truffleSecrets.json: aggregated findings from an open-source secrets scanning tool
actionsSecrets.json
cloud.json
contents.json

These files are the basis for the environment research and victim attribution in this report.

The first “victim” example was attributed to one of the world’s largest semiconductor companies.

Figure 2. Example Shai Hulud 2.0 exfil bundle/repo of a compromised machine, showing JSON artifacts used to collect secrets and environment data.

One of the most important artifacts in each exfil bundle was environment.json. In many cases, this file contained a large base64 blob that was itself base64-encoded a second time. Decoding it twice revealed structured memory snapshots from the victim’s endpoint.

Figure 3. Double-base64-encoded payload stored in the json file.

Upon decoding the base64 payload in environment.json, we obtain a structured environment memory dump from a self-hosted GitHub Actions runner. It exposes environment variables with live secrets (including a GitHub Personal Access Token and runner token), internal hostnames that reveal the organization, and runtime context such as the resolved npm package (@postman/tunnel-agent) that likely served as the compromised variant which triggered the exfiltration on this machine.

Figure 4. Decoded from a compromised runner, showing environment variables with active tokens, internal hostnames and the npm package that possibly initiated the Shai Hulud 2.0 payload.

After decoding truffleSecrets.json, we see structured output from the attacker’s bundled TruffleHog scanner. Each record ties a detected secret to its source (filesystem path and line), the detector used, and whether the secret was verified as valid. In this example, TruffleHog flags an active MongoDB credential found on the filesystem of the compromised runner.

The second “victim” example belongs to a global financial services provider.

In this second example, taken from a tier-1 digital financial services provider – a premium target for threat actor groups like Shai Hulud 2.0, the bundle contained environment.json but no secrets.json/truffleSecrets.json.
But nevertheless, it is one of the most prolific environments we have seen.

Figure 5. Exfil bundle from a developer’s endpoint where only environment.json was produced, indicating that memory was exfiltrated even without a generated secrets.json file.

In our second example, we decoded environment.json from a GitLab CI job running in a cloud environment at a tier-1 digital-asset custody provider. Their dump shows the full CI context for an end-to-end test pipeline: GitLab project metadata, npm configuration, and multiple high-value environment variables containing live secrets. These include an AWS_SECRET_ACCESS_KEY, blockchain-related production tokens, a security API key, Slack tokens, Jira webhooks and a GitLab Personal Access Token.

The npm_lifecycle_event: “preinstall” value confirms that the Shai Hulud 2.0 payload executed during the preinstall phase of a compromised npm dependency, meaning simply installing dependencies in this job was enough to leak production-adjacent secrets from this environment.

To understand which of the exposed credentials were still usable, we ingested this environment.decoded.json file into the Entro platform. Entro automatically classified 18 distinct secrets in this single dump, spanning AWS full credentials, Slack and Atlassian tokens, Jira and Codecov keys, and GCP service account credentials. While some had already been revoked, the GCP Service Account key was still marked as Valid when we ran the scan on 27 November, three days after Shai Hulud 2.0 was first disclosed.

Figure 6. Entro scan of environment.decoded.json from the compromised environment of the financial services company. An active token can be noticed.

What Shai Hulud 2.0 Means for Defenders

Shai Hulud 2.0 will disappear from headlines. The environments it exposed will not. This campaign didn’t just fill GitHub repos with secrets.json – it pulled full runtime context from CI pipelines, developer endpoints and cloud machines in banks, governments and Fortune 500 tech, with many service accounts and other high-value credentials still usable days after disclosure.

The takeaway is simple: any place code runs is now a potential memory-dump target. Defenders should focus on three things:

Keep fewer secrets in CI and developer environments.

Treat non-human identities as managed assets with owners, scope and rotation to understand usage, detect potential abuse and close the loop with their human owners quickly if something goes awry.

Be able to quickly answer “which secrets were exposed, which identities they belong to, and are they actually revoked?”

By now Shai Hulud 2.0 is not just “an npm incident” but a preview of how fast supply-chain campaigns can turn everyday pipelines into full inventory and compromise of your non-human identities.

Special thanks to Yehonathan Tsirolnik, Entro’s VP of Solutions Engineering, and the CTO Office Team for their research.