Shai‑Hulud 2.0 weaponizes pre-scan steps

The surge that vendors call “The Second Coming” unfolded in a narrow window between November 21–24, 2025, when researchers observed hundreds of npm packages trojanized and more than 25,000 affected GitHub repositories ( ). Analysts confirmed the campaign leveraged the Bun JavaScript runtime for on‑install execution and implemented self‑replicating code that reads and propagates its own contents, plus a configurable “dead‑man” mechanism intended to trigger destructive behavior if containment is detected ( ). Telemetry-based counts estimate the worm exfiltrated credentials tied to at least ~500 unique GitHub users across ~150 organizations, while cloud-security scans flagged packages from Zapier, ENS Domains, PostHog and Postman that appear in roughly 27% of environments Wiz scans ( ). Multiple reports show attackers weaponized CI workflows by backdooring packages and abusing self‑hosted GitHub Actions runners for persistence and cross‑victim credential reuse, effectively turning compromised runners into a distributed toolset for lateral propagation ( ). Microsoft published step‑by‑step detection and response guidance on December 9, 2025, urging immediate rotation/revocation of exposed tokens, isolation or rebuild of compromised CI environments, and repository mapping via Defender integrations for automated scanning (microsoft.com). Operational mitigations packaged by vendors and community projects include using npm/Yarn/Bun safe flags to disable lifecycle scripts, rebuilding self‑hosted runners from clean images, rotating PATs and cloud keys, and running community detectors such as the gensecaihq/Shai‑Hulud‑2.0‑Detector and related clean‑install playbooks to remove malicious lifecycle hooks ( ).