.png)
Shai-Hulud 2.0 shows how quickly a compromised maintainer account can result in thousands of infected NPM packages and repositories within hours. Harness SCS provides end-to-end SBOM visibility, policy enforcement to block compromised NPM packages, and complete traceability to detect malicious components early and prevent them from entering your pipelines.
On November 24, 2025, the open source ecosystem experienced a second significant wave of the Shai-Hulud NPM supply-chain attack, now called Shai-Hulud 2.0. Attackers compromised hundreds of NPM publisher accounts, trojanized widely used packages, including those from Zapier and ENS Domains, and introduced a worm-like payload that is triggered during the pre-install lifecycle of affected modules.
The malware installs a separate runtime (Bun), executes hidden scripts (setup_bun.js, bun_environment.js), harvests developer and cloud credentials (GitHub, AWS, GCP, Azure), creates malicious GitHub Actions runners, and spreads by republishing infected packages using stolen credentials.
Impact:
- Over 25,000 compromised GitHub repositories affecting nearly 1,000 packages, with an additional ~1,000 new compromised repos every 30 minutes.
- Thousands of stolen credentials across ecosystems.
- Worm-style propagation across CI/CD runners, developer machines, and repositories.
This attack demonstrates how rapidly a supply chain attack can propagate and reinforces the need for real-time SBOM visibility and policy enforcement. These capabilities are no longer just best practices; they’re foundational safeguards for protecting modern software supply chains.
How Harness Supply Chain Security Helps
Harness SCS provides you with clear visibility into everything flowing through your software supply chain. You can identify risky or untrusted components early, generate Open Policy Agent (OPA) policies to automatically block suspicious dependencies, and ensure only safe, verified artifacts move forward in your pipelines.
Use Harness SCS to trace the complete lineage of every artifact, so you always know where components came from, how they were built, and what they’ve touched. With a component search across all repositories and artifacts, you can instantly find and isolate compromised dependencies the moment a supply chain attack, like Shai-Hulud, is disclosed.
1. Detect Compromised NPM Packages
Harness SCS equips you with a robust open source component search capability that works across every repository and artifact built with Harness pipelines. The moment a vulnerability or malicious package is disclosed, you can instantly search to identify the component and determine whether it exists anywhere, providing you with complete visibility across your entire supply chain.
2. Block Compromised NPM Packages
Harness AI simplifies incident response processes for events like Shai-Hulud 2.0 using natural-language prompts. With a single prompt, users can use this OPA policy to block compromised NPM components across all CI/CD pipelines, prevent tampered or malicious packages from being introduced into new builds or deployments, and provide a strong preventive control throughout your SDLC.
Note that the list of known packages compromised by Shai-Hulud 2.0 will likely evolve as the worm mutates or infects additional packages. This list of known vulnerable packages informs a deny list, commonly found in security policies.
3. Track & Remediate Issues with Developers
Harness SCS automatically identifies vulnerable components across all production and non-production environments. Teams can assign fixes to developers, monitor progress from update to deployment, and sync everything with Jira for seamless workflow and ongoing tracking. With real-time visibility into what’s fixed, pending, or still at risk, you can ensure no vulnerability slips through the cracks and keep your supply chain hardened against Shai-Hulud and other similar malware.
Next Steps in the Face of Supply Chain Attacks
Shai-Hulud 2.0 reinforces how quickly a supply chain attack can escalate when an NPM maintainer account is compromised. The impacts of Shai-Haulud were felt across ecosystems within hours, bypassing traditional scanning and manual review processes.
Protecting against and preventing these threats requires more than detection; it requires real-time visibility, automated policy enforcement, and continuous remediation tracking. Harness SCS brings these capabilities together, helping development and security teams to quickly identify where malicious components are used, block them from entering future builds, and ensure fixes are fully rolled out.
With the proper controls in place, organizations can reduce exposure, contain risks early, and strengthen the integrity of their software supply chain against attacks like Shai-Hulud 2.0. Stay protected from future attacks using Harness SCS.
Also, learn how Harness SCS defends against TJ Actions, NPM 1.0, xz-utils supply chain attacks.
All this author’s posts
I am a seasoned security professional with 11+ years of experience across VAPT, vulnerability management, security tooling, and supply chain security. Currently, I serve as a Staff Product Manager at Harness, where I focus on building Supply Chain Security solutions that safeguard software from code to deployment. With a strong foundation in both technical and product leadership, I am passionate about advancing secure software practices and helping teams build with confidence.
All this author’s posts
Lavakush works as a DevRel Engineer for Supply Chain Security module at Harness, Bridge the gap between developers and product by enabling the product, streamline the developer experience, and drive adoption by empowering teams with the right tools to build secure, scalable applications.