npm Cyberattack: Shai-Hulud 2.0 Worm That Hit Major Tech Companies

What Business Owners Need to Know About This Cyberattack

A self-spreading cyberattack compromised hundreds of trusted software packages in November 2025, exposing thousands of businesses to credential theft

If your company uses web applications, mobile apps, or any software built with JavaScript, you need to understand what happened over Thanksgiving weekend 2025. A cyberattack called “Shai-Hulud 2.0 npm supply-chain attack” infected software packages used by millions of developers worldwide, and the fallout could still be affecting your business.

What Happened?

Think of software packages like ingredients in a recipe. When developers build applications, they don’t write everything from scratch. They use pre-built components called “packages” from a public library called npm (short for Node Package Manager). It’s like buying pre-made sauce instead of making it yourself.

On November 24, 2025, attackers managed to poison some of these ingredients. They inserted malicious code into trusted packages from well-known companies including PostHog (an analytics platform), Zapier (an automation tool), Postman (a developer tool), and many others.

When a developer installed one of these poisoned packages, the malicious code would immediately run on their computer. It would:

1. Steal passwords and access keys from the developer’s machine and cloud services
2. Publish those stolen credentials publicly on GitHub, where anyone could find them
3. Spread itself automatically by using stolen credentials to infect more packages

This is why attackers named it after the giant sandworms from the science fiction novel Dune. Like those worms, it spread quickly and destructively.

{
  "name": "@zapier/zapier-sdk",
  "version": "0.15.5",
  "description": "Complete Zapier SDK - combines all Zapier SDK packages",
  "scripts": {
    "build": "tsup",
    "test": "vitest",
    "preinstall": "npm setup_bun.js"
  }
}

The little "npm setup_bun.js" addition was responsible for the cyberattack.

Why Should You Care About This Cyberattack?

Even if you’ve never heard of npm, your business likely depends on it. If you have a website, a mobile app, or use cloud-based business tools, there’s a good chance some part of that technology relies on these packages.

The compromised packages collectively have over 20 million downloads per week. That’s 20 million opportunities for the malware to steal credentials and spread further.

Here’s what was stolen:

• Cloud access keys for Amazon Web Services, Google Cloud, and Microsoft Azure
• GitHub tokens that control access to software code
• API keys that connect different software systems together
• SSH keys that provide remote access to servers

According to security researchers, over 11,800 unique secrets were exposed, and more than 2,200 of them were still active and usable when discovered.

The Real-World Impact

PostHog, an analytics company, published a detailed account of how they were targeted. Attackers had actually stolen their publishing credentials days before the main attack, using a clever trick involving an innocent-looking code contribution.

The cyberattack affected companies of all sizes. Security firm Elastic disclosed that their automated systems ran the malware, though they contained it before any damage occurred. The breach touched not just JavaScript packages but also spread to Java packages through automated mirroring systems.

Perhaps most concerning: this was a “worm,” meaning it spread automatically without human intervention. At its peak, researchers tracked approximately 1,000 newly compromised repositories appearing every 30 minutes.

What Makes This Cyberattack Different

Traditional cyberattacks require hackers to break in. This one was invited in. Here’s how:

When you install a software package, it can run code automatically as part of the installation process. Normally, this is used for harmless setup tasks. The attackers exploited this by hiding malicious code in the “preinstall” step, which runs before the package is even fully installed.

This means:

• The malware ran even if the installation failed
• It executed before any security scanning could catch it
• It happened silently in the background

The malware also had a particularly nasty backup plan: if it couldn’t steal credentials or spread itself, it would attempt to delete all files in the user’s home folder. Security researchers described this as a “dead man’s switch” designed to cause maximum damage if blocked.

What You Should Do Right Now

If You Have a Technical Team

1. Check your software inventory. Ask your developers if any of the affected packages are in use. The most dangerous time window was November 21-24, 2025.
2. Rotate all credentials. Any API keys, cloud access credentials, or tokens that existed during this period should be replaced with new ones, even if you’re not sure they were exposed.
3. Audit your GitHub repositories. Look for any suspicious commits or new workflow files you didn’t create.
4. Update your packages. The latest versions of affected packages have been cleaned up and are safe to use.

If You Don’t Have Technical Staff

1. Contact your web developer or IT provider. Ask them specifically about npm package security and whether they’ve checked for Shai-Hulud exposure.
2. Review your cloud service billing. Unusual charges could indicate someone is using stolen credentials to access your cloud resources.
3. Check for unauthorized access. Log into your business services and look for login attempts from unfamiliar locations.
4. Update your passwords. If you use any developer tools or code repositories, change those passwords now.

Questions to Ask Your Tech Team or Vendors

If you work with developers or outsource your technology, here are questions to ask:

“Have you checked whether our projects use any of the 796 npm packages affected by Shai-Hulud 2.0?”

“Have we rotated all cloud credentials and API keys since November 24?”

“Are we using any security scanning for our software dependencies?”

“Have we enabled the ‘minimumReleaseAge’ setting to delay installation of newly published packages?”

The Bigger Picture

This cyberattack highlights a fundamental vulnerability in how modern software is built. We all rely on a vast web of interconnected packages, often created and maintained by volunteers or small teams. When one piece of that web is compromised, the effects ripple outward rapidly.

For business owners, the lesson is clear: software supply chain security is now a business risk, not just a technical concern. You don’t need to understand the technical details, but you do need to ensure someone on your team (or your vendors) is actively managing this risk.

The npm registry has announced it will require more secure authentication methods starting December 9, 2025, partly in response to these attacks. But security researchers expect similar attacks to continue evolving.

Protecting Your Business From Cyberattacks

Consider these longer-term steps:

1. Include software supply chain security in vendor assessments. When hiring developers or choosing software vendors, ask about their security practices for managing external packages.
2. Maintain an inventory of your software components. You should know what your applications are built with, just as you’d know what ingredients are in your products.
3. Plan for credential rotation. Have a process ready to quickly replace passwords and access keys when needed.
4. Consider cyber insurance. Review whether your policy covers supply chain attacks.

The digital infrastructure that powers your business is only as strong as its weakest link. The Shai-Hulud cyberattack demonstrated how quickly that weakness can be exploited.

How We Can Help

If you’re concerned that your business may have been affected by Shai-Hulud 2.0 cyberattack, or you simply want to ensure your digital assets are protected against similar attacks – our team at CodeThem can help.

Immediate Response Services

We offer emergency security audits for businesses that suspect they may have been compromised. Our developers will examine your applications’ dependency trees, identify any affected packages, and determine whether malicious code was executed in your environment. If your credentials were exposed, we’ll work quickly to rotate keys, revoke compromised tokens, and secure your cloud infrastructure before attackers can exploit them.

Remediation and Clean-Up

For applications that were directly affected, we provide thorough remediation services. This includes removing compromised package versions, updating to secure releases, scanning your codebase for any injected malicious code, and auditing your repositories for unauthorised changes. We document everything we find, giving you a clear picture of what happened and what we’ve done to fix it.

Get in Touch

Don’t wait until you discover unauthorised charges on your cloud bill or find your code has been tampered with. Contact us at codethem.com for a confidential consultation about your security posture. We’ll help you understand your exposure and build a practical plan to protect your business.

Timeline of The Cyberattack

This article summarizes public security reports from PostHog, Datadog Security Labs, Wiz, Palo Alto Networks Unit 42, Check Point Research, Elastic, GitLab, Docker, and other security organizations.