Shai Hulud is back. This second iteration of the npm supply chain attack, dubbed the “Second Coming” by the attackers, again publishes exposed secrets and then attempts to self-replicate. What’s changed is the scale and stealth: the new activity hits a broader set of npm dependencies (including Zapier/ENS-related packages in some cases) and creates randomly named public GitHub repositories that contain stolen data, instead of relying only on the fixed Shai-Hulud / “Shai-Hulud Migration” repo names described in prior reports. Actions you should take: 1️⃣ Audit your dependencies and search for repos with the description "Sha1-Hulud: The Second Coming" 2️⃣ Scan for exposed secrets and rotate secrets 3️⃣ Inspect your CI/CD and Source Code Repositories for any unauthorized actions Cycode’s security research team is actively monitoring this campaign and continuously updating affected packages in our Threat Intelligence feed so customers can quickly understand their exposure. The feed also surfaces suspicious public repositories associated with your developers’ accounts, including those labeled “Sha1-Hulud: The Second Coming,” so teams can see both package-level and repo-level impact in one place. Read our write-up on the Shai-Hulud attack here: https://lnkd.in/g4aZ3BFX
Kudos to the Cycode team — the early visibility and the package-level + repo-level insights make a real difference in identifying exposure quickly.
For the nth time today, it's called "Sha1-hulud: The second coming", sha1, sha1, sha1. Whoever told you "Shai" was misinformed, and some place back in that chain of lies, you will find somebody with absolutely zero knowledge about IT, security, cryptography, and computing in general. And that's your original source, that you're trusting for "IT security related news" ... 😬 Now copy and paste this comment into everyone sharing it under the name of "shai" (which BTW normally means tea) ...