THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🔴 HIGHintel

Shai-Hulud 2.0 - NPM Worm Hits PostHog and 25,000 Developers

Category:Threat Alerts
Shai-Hulud 2.0 worm compromised PostHog's npm packages, spreading to over 25,000 developers via supply chain infection. The worm propagates through dependency relationships, automatically infecting downstream projects. PostHog, Zapier, AsyncAPI, Postman, and ENS Domains all confirmed infections. What's nasty: the malware exfiltrates environment variables containing API keys, database credentials, and authentication tokens from development environments. It establishes persistence by modifying package.json files and npm scripts to survive reinstalls. The worm specifically targets developer workstations where secrets are often stored in plaintext .env files. Once infected, projects automatically spread the malware to anyone installing their packages. Classic npm supply chain attack weaponizing the trust relationships inherent in package management.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Shai-Hulud 2.0 shows how a wormable npm campaign can rapidly compromise tens of thousands of developer environments, leading to theft of cloud, CI, and source code credentials that may enable deeper breaches well beyond the initial SDK vendors. Organizations that rely on affected packages face exposure of customer data, intellectual property, and production infrastructure if stolen secrets are used for lateral movement and persistence.

Strategic Intelligence Guidance

  • Identify whether affected PostHog, Zapier, AsyncAPI, ENS, or Postman npm packages were installed in your environments during the impacted time window, and immediately rotate any credentials that may have been present on those systems.
  • Harden CI/CD workflows by minimizing token scopes, enforcing code review on workflow changes, and adopting a trusted publisher or OIDC based model for package releases instead of long-lived static tokens.
  • Configure build environments to disallow or closely monitor npm install scripts where feasible, and use lockfiles plus integrity verification to ensure dependencies match vetted versions.
  • Implement continuous monitoring and alerting for unusual npm publication or installation patterns, as well as new outbound connections from build systems to Git hosting platforms or unfamiliar domains.

Vendors

PostHognpmZapierAsyncAPIPostmanENS Domains

Threats

Shai-Hulud 2.0software supply chain malware

Targets

JavaScript developersCI/CD pipelinescloud infrastructure

Tags

#shai-hulud-2#posthog#npm#supply-chain#ci-cd#credential-theft
Intelligence Source: Shai-Hulud 2.0 - NPM Worm Hits PostHog and 25,000 Developers | Nov 29, 2025
More stories in Malware & Ransomware