Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem
2 days ago
- #npm
- #supply-chain-attack
- #github-security
- A sophisticated npm supply chain worm named Shai-Hulud 2.0 compromised over 500 packages and affected 25,000+ repositories.
- The attack began when an engineer unknowingly installed a malicious package, leading to credential theft and unauthorized GitHub access.
- The attacker conducted 17 hours of reconnaissance, cloning 669 repositories before executing a destructive 10-minute attack.
- Detection occurred within 5 minutes, and access was revoked within 4 minutes, preventing further damage.
- Key mitigations included disabling npm scripts globally, upgrading to pnpm 10, and enabling branch protection on all repositories.
- The incident highlighted the risks of arbitrary code execution during package installation and the importance of securing developer environments.