Shai Hulud 2.0: Zapier, GitHub and the Worm Turning npm Installs into Secret Exposure Pipelines

A new Shai Hulud style supply chain campaign has compromised npm packages from Zapier, ENS Domains, PostHog, Postman and many others. The malware runs during npm install, harvests developer and CI/CD secrets, then exfiltrates them into attacker controlled GitHub repositories that reference “Shai-Hulud” or “Sha1-Hulud: The Second Coming.” Security researchers report more than 26,000 affected repositories across hundreds of users, with about 1,000 new repos appearing every 30 minutes at peak.

Entro Labs then took more than 26K Shai Hulud–linked repos and asked a narrower question: what secrets are actually leaking, and which non-human identities do they belong to?

What Happened: From Compromised Packages to Leaking Repos (Again)

Aikido Security research has confirmed a fresh wave of Shai Hulud themed npm compromises tied to popular ecosystems: Zapier automation packages, ENS Domains libraries, PostHog analytics tooling, Postman components, AsyncAPI and others.

The Shai Hulud 2.0 attacker’s playbook:

1. Hijack maintainer accounts: Publishing rights for trusted npm packages are abused to release “new” versions that carry a hidden payload.
2. Execute during install, not runtime: The new variant runs in the preinstall phase (install lifecycle scripts), which means simply running npm install in a dev machine or CI pipeline is enough to trigger it.
3. Harvest secrets aggressively: Once executed, the malware:
   • Reads environment variables from machines and CI agents
   • Queries cloud metadata endpoints (/metadata style URLs) to pull short-term cloud credentials when available
   • Uses secret scanning tools such as TruffleHog like earlier Shai Hulud variants
4.  Write secrets into local artifacts: Wiz researchers observed payload files like cloud.json, contents.json, environment.json, and truffleSecrets.json, which collect system data and secrets before exfiltration.
5. Exfiltrate to GitHub Shai-Hulud repos: The malware then pushes the “loot” into attacker controlled GitHub repositories that either:
   • Use “Shai-Hulud” naming
   • Use random names but carry descriptions like “Sha1-Hulud: The Second Coming.”
6. Keep the campaign alive: GitHub is actively removing attacker repositories, but the actors continue generating new ones as long as compromised environments are still installing tainted packages.

The result: every compromised developer laptop, CI job or build server that pulled one of these packages becomes a worm host. The secrets are the payload.

Why the Second Wave is Worse for Secrets and NHIs

Previous Shai Hulud coverage already showed how quickly secrets get harvested and pushed into public GitHub repos, as Wiz and others documented. This new wave raises the stakes significantly.

1. The install phase means maximum exposure. By hooking into preinstall, the malware executes in exactly the environments with the richest secret access: developer machines loaded with long-lived tokens for GitHub, npm, cloud, SaaS and AI providers, and CI/CD workers that hold temporary credentials powerful enough to publish packages, deploy infrastructure or touch production data.
2. The target is not your app logic, it is your identity layer. The attackers are not trying to slip in a subtle runtime backdoor. They are smashing and grabbing GitHub PATs and SSH keys, npm tokens, cloud provider credentials from metadata endpoints, and API keys for observability, productivity and AI tooling such as Datadog, Atlassian and OpenAI. In Entro language, the campaign is harvesting Non-Human Identities (NHIs) at scale: machine accounts, tokens and secrets that carry real, reusable permissions.
3. Worm logic combined with token reuse creates immediate lateral movement. When this worm finds additional npm or GitHub tokens, it can use them to publish malicious versions of other packages, flip private repositories to public, attach malicious workflows, and seed even more environments that will eventually run npm install. That is supply chain compromise chained directly into NHI compromise.

One of the most active hubs we saw was a GitHub account called JenkinsGithubIntegration, using the Jenkins logo and hosting hundreds of repositories titled “Sha1-Hulud: The Second Coming.” This isn’t a benign integration user. It’s an attacker-controlled account, set up to look like a Jenkins automation user while serving as a dumping ground for exfiltrated secrets.

What Entro Labs Found in Shai Hulud 2.0 

To move beyond headlines, Entro security researchers cloned and analyzed 26,000+ GitHub repositories associated with the Shai Hulud 2.0 campaign. The goal was to quantify what was actually leaking, not just which packages were compromised.

Over 8 Million Secrets Exposed!

Across those 26,000 repositories, 93.5% contained at least one exposed secret, for a total of 8,425,892 secret findings. That works out to an average of 346.8 secrets per affected repo, with the top 5% of repos responsible for 57.0% of all exposed credentials.

Which Secrets Shai Hulud Leaked  

From the 26k+ Shai Hulud–linked repositories analyzed, the detectors show where the real damage is. The noisiest signal was URIs with about 2.27M exposures – we found URLs with embedded credentials, meaning a single leaked link can silently authenticate to a web resource without any user interaction.

Behind it, we saw over 1.11M matches for GitHub OAuth tokens, 747k for Box, 615k for JumpCloud, ~386k Cloudflare API tokens, and ~381k Artifactory access tokens, plus roughly 313k private key patterns, 248k Docker Hub credentials, 236k JWTs, and 168k CircleCI secrets.  In practice, this means the campaign isn’t just spraying random strings, it is systematically using open-source secret scanners to leak access into SCM, CI/CD, IAM solutions, storage, and edge infrastructure all at once.

AI Agents and Non-Human Identities Detected

When we classified these leaks, it was clearly a non-human identity (NHI) problem, not a scatter of “random secrets”. Roughly 1.4% were cloud access keys and IAM roles (AWS, Azure, GCP), 15.6% were Git hosting Personal Access Tokens (GitHub, GitLab, Bitbucket), 3.0% were CI/CD and automation tokens, 79.9% were SaaS and productivity tokens (Jira, Slack, Datadog, etc.).

The remaining 0.2% were high-impact AI and agent credentials (OpenAI, Bedrock, Claude and others), which lines up uncomfortably well with the fact that one of the compromised Zapier packages, @zapier/mcp-integration (versions 3.0.1 to 3.0.3), is used to wire agents into MCP integrations, giving the worm a direct path to the secrets those agents rely on.

Check If You’re in the Shai Hulud Dataset

Alongside this research, we put up a small public checker at. Visit safe.entro.security to search by GitHub repo owner, email address, or secret SHA-256 hash to see whether it appears in the Shai Hulud 2.0 repositories we analyzed. It is meant as an early warning signal: if your org or secrets show up there, you should assume this campaign has already touched your environment.

Shai Hulud 3.0 or What’s Next

Shai Hulud is probably not going anywhere and we expect more variants and more headlines. The only way to blunt the impact is to make sure a compromised npm install has as little to steal as possible: stop hardcoding secrets and make sure CI logs, build artifacts, and debug output aren’t quietly hoarding credentials. Entro’s platform helps security teams see where secrets are embedded in code and pipelines, map them to the non-human identities and AI agents that use them, and rotate or decommission them before the next worm wave turns them into public GitHub baggage.

 

*Research credits: This analysis builds on ongoing public research from Aikido Security and Wiz Research, who first documented the latest Shai Hulud style activity across npm, GitHub and the wider ecosystem.

Special thanks to Yehonathan Tsirolnik, Entro’s VP of Solutions Engineering, and the CTO Office Team for turning around this tool and research on short notice.