Return of the Shai-Hulud worm affects over 25,000 GitHub repositories

The new version of the Shai-Hulud worm, which began its spread on November 24, 2025, has impacted over 25,000 GitHub repositories by using compromised NPM packages to steal credentials and exfiltrate them. This iteration, more sophisticated than its predecessor, executes during the pre-installation phase, utilizes a JavaScript runtime called "bun," and introduces new functionalities for persistence and data exfiltration. It leverages cloud modules and creates GitHub repositories to exfiltrate secrets, using a self-hosted GitHub Actions runner as a backdoor. Security teams can detect the worm through suspicious activities associated with NPM install commands. To mitigate the worm's effects, affected users must remove compromised packages, clear NPM caches, rotate exposed credentials, and audit their environments for unauthorized changes. The incident highlights the critical need for runtime threat detection in monitoring third-party packages for malicious activity, with tools like Falco and Sysdig Secure offering necessary visibility and detection capabilities.