The Shai-Hulud worm, which exploits the inherent trust in open-source software supply chain networks, continues to impact the industrial sector.
While its primary objective is to steal sensitive credentials—such as GitHub Personal Access Tokens (PATs) and API keys for cloud services like AWS, Google Cloud, and Microsoft Azure, the impacts are spreading to encompass government networks and operational technology environments. The stolen credentials and subsequent network access could be used as a way to compromise the industrial control systems used in manufacturing, utilities and other critical infrastructure.
Responses from the cybersecurity sector have been significant, with Sola Security deploying a rapid-response solution that can identify vulnerable code packages impacted by Shai-Hulud. The latest strain of the malware has been linked to compromises in over 25,000 code repositories, including Zapier and ENS.
In addition to concerns over credential theft, this supply-chain compromise is infiltrating long-trusted tools, creating a cascading effect across the entire software ecosystem. This means many companies using these packages may not even realize they're vulnerable.
“Shai-Hulud v2 demonstrates how quickly a single point of compromise can snowball across ecosystems when automated build and publishing processes are left unprotected," offers Joe Saunders, Founder and CEO, RunSafe Security. "Attackers didn’t rely on novel zero-days — they exploited everyday CI and packaging workflows that most organizations assume are safe.
"Incidents like this highlight why the industry must shift from reacting to malware after distribution to preemptively hardening software at build-time. By eliminating exploit reuse at the binary level and ensuring every artifact is uniquely protected, we can dramatically reduce the blast radius of these supply chain attacks.”
CISA has also released recommendations for detection and remediation that include:
- Conduct a dependency review of all software leveraging the npm package ecosystem.
- Check for package-lock.json or yarn.lock files to identify affected packages, including those nested in dependency trees.
- Search for cached versions of affected dependencies in artifact repositories and dependency management tools.
- Pin npm package dependency versions to known safe releases produced prior to Sept. 16, 2025.
- Immediately rotate all developer credentials.
- Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm.
- Monitor for anomalous network behavior, blocking outbound connections to webhook.site domains and monitoring firewall logs for connections to suspicious domains.
- Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets.
- Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates.
