On November 21, 2025, security researchers detected the beginning
of what would become one of the most aggressive npm supply chain
attacks to date.The Shai Hulud 2.0 campaign compromised over 25,000
GitHub repositories within 72 hours, targeting packages from major
organizations including Zapier, ENS Domains, PostHog, and
Postman.The malware’s self-propagating design created a compounding
threat that moved at container speed, not human speed. This variant
executed during npm’s preinstall phase, harvesting developer
credentials, GitHub tokens, and cloud provider secrets before
packages even finished installing.Stolen credentials
On November 21, 2025, security researchers detected the beginning
of what would become one of the most aggressive npm supply chain
attacks to date.The Shai Hulud 2.0 campaign compromised over 25,000
GitHub repositories within 72 hours, targeting packages from major
organizations including Zapier, ENS Domains, PostHog, and
Postman.The malware’s self-propagating design created a compounding
threat that moved at container speed, not human speed. This variant
executed during npm’s preinstall phase, harvesting developer
credentials, GitHub tokens, and cloud provider secrets before
packages even finished installing.Stolen credentials