Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets

Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets

The Shai-Hulud v2 supply chain attack expanded to the Maven ecosystem, compromising 28,000+ repositories and leaking 11,858 secrets, including API keys and cloud credentials. The attack leverages the same payload across both npm and Maven, using the Bun runtime to evade detection.

Why This Matters

The attack highlights the fragility of open-source supply chains, where a single compromised package can cascade into thousands of downstream applications. Unlike idealized models of secure dependency management, real-world systems often lack strict validation of package sources, enabling malware like Shai-Hulud v2 to exploit misconfigured CI/CD pipelines and steal secrets at scale. The campaign’s ability to self-replicate via infected maintainer accounts amplifies its impact, turning minor vulnerabilities into widespread breaches.

Key Insights

• “org.mvnpm:posthog-node:4.18.1” Maven package embedded Shai-Hulud v2 components: https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
• Attackers used GitHub Discussions to trigger arbitrary command execution on victim machines: https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
• 11,858 unique secrets leaked, with 2,298 still valid as of November 24, 2025: https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html

Practical Applications

• Use Case: PostHog’s npm and Maven packages were weaponized to backdoor developer environments and exfiltrate secrets.
• Pitfall: Misconfigured GitHub Actions workflows (e.g., pull_request_target triggers) allowed unauthorized code execution, enabling the attack to propagate.

References:

• https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html