The "Second Coming" campaign, a continuation of the Shai-Hulud supply chain attack, highlights the evolving tactics of threat actors who have learned from previous campaigns to enhance their methods. This new wave leverages stolen credentials to exfiltrate secrets through legitimate GitHub repositories, bypassing earlier limitations such as rate-limited endpoints. The attack has compromised 621 unique NPM packages and exposed over 11,000 secrets, with 2,298 still valid, affecting both developer workstations and CI/CD pipelines. The campaign underscores the critical vulnerability of secrets in software supply chains, emphasizing the need for robust secrets management as an essential security measure. Aikido Security first reported the incident, providing ongoing analysis and updates.