Sunday 05 July 2026 02:29:51 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Intelligence & Threat Trends

From Sandworms to Supply Chains: Shai-Hulud Strikes Again, Infecting Java and JavaScript Developers Worldwide

A new wave of the Shai-Hulud worm leaps from npm to Maven, triggering a global scramble as thousands of developer secrets are swept up in its digital wake.

Fast Facts

  • Shai-Hulud worm has spread from npm (JavaScript) to Maven (Java), targeting software supply chains.
  • More than 25,000 GitHub repositories have leaked stolen secrets; new leaks appear every 30 minutes.
  • The worm uses advanced obfuscation and destroys user data if it can't steal valuable secrets.
  • Attackers exploited weaknesses in GitHub Actions workflows to compromise popular projects like PostHog and Postman.
  • Thousands of credentials for services like AWS, Google Cloud, and Azure have been exposed.

The Worm That Crossed the Desert

Imagine a digital sandworm, undetected beneath the surface, suddenly bursting through the code that powers the internet’s busiest software projects. That’s the reality facing developers worldwide as the Shai-Hulud worm, named after the monstrous creatures of Dune, transcends its original boundaries. Once confined to the npm ecosystem (the heart of JavaScript development), Shai-Hulud has now breached Maven Central, the main hub for Java libraries, revealing the fragility of modern software supply chains.

A Tale of Two Ecosystems

First detected in npm packages, Shai-Hulud’s second wave has proven more sophisticated and far-reaching. Security researchers recently identified the worm inside a Maven package, org.mvnpm:posthog-node:4.18.1. Although the real PostHog team never published this on Maven, automation tools that mirror npm packages to Maven inadvertently imported the infection. This cross-ecosystem leap is rare and dangerous, demonstrating how attackers exploit automation and trust between software communities.

Technically, the worm hides in two files: a loader disguised as a Bun installer (setup_bun.js) and a massive, obfuscated payload (bun_environment.js). Once activated, it quietly harvests secrets-such as GitHub tokens and cloud credentials-before uploading them to newly created GitHub repositories labeled with a chilling message: “Sha1-Hulud: The Second Coming.” If it can’t steal secrets, it resorts to digital arson, wiping the victim’s home directory in a destructive tantrum.

Exploiting the Gaps: How the Attack Worked

Investigators from firms like Step Security and Wiz traced the infection vector to misconfigured GitHub Actions workflows-automated scripts developers use to test and deploy code. By abusing triggers like pull_request_target and workflow_run, attackers could inject their malware into trusted projects. Well-known names such as AsyncAPI, Postman, and PostHog were among the victims. The scale is staggering: over 5,000 files with stolen secrets have surfaced, with thousands still valid and publicly accessible as of late November 2025.

The New Normal for Developers

Shai-Hulud is not the first supply chain worm-recall the infamous SolarWinds hack or the dependency confusion attacks of 2021-but its speed, stealth, and cross-platform reach are unprecedented. The incident exposes a critical weakness in how software is built today: layers of automated trust, often with minimal human oversight. In response, Maven Central is tightening security to block automatic repackaging of potentially tainted npm components, but the damage is done and the lessons are clear.

As the digital sandworm burrows deeper, developers are left to sift through the ruins, patch their pipelines, and rethink how they trust the code flowing through their projects. The Shai-Hulud campaign is a wake-up call-a reminder that in the interconnected world of modern software, a single grain of malicious code can trigger a landslide.

WIKICROOK

  • Worm: A worm is self-replicating malware that spreads across networks without user action, exploiting vulnerabilities to infect multiple computers.
  • Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
  • Obfuscation: Obfuscation is the practice of disguising code or data to make it difficult for humans or security tools to understand, analyze, or detect.
  • GitHub Actions: GitHub Actions automates tasks like testing and deploying code on GitHub. While boosting productivity, it can be misused if not properly secured.
  • Credentials: Credentials are information like usernames and passwords that confirm identity and allow access to secure computer systems, networks, or accounts.