How we got hit by Shai-Hulud: A complete post-mortem

On November 25, 2025, a sophisticated npm supply chain worm known as Shai-Hulud 2.0 compromised multiple repositories, affecting over 25,000 repositories across the JavaScript ecosystem, including organizations like PostHog and Zapier. The attack involved one of the company's engineers unknowingly installing a compromised package, leading to credential theft and unauthorized access to their GitHub organization. The attacker, using credentials stolen from the engineer's machine, engaged in extensive reconnaissance and cloning activities from multiple locations, including the US and India, using VPNs or servers. The attack culminated in a destructive phase that involved automated closure of pull requests and force-pushes to multiple repositories, although their npm packages remained uncompromised due to the absence of npm publishing tokens and enforced 2FA. The company responded swiftly by identifying and revoking the compromised account, restoring all affected branches within seven hours, and implementing several security measures to prevent future attacks, such as disabling npm scripts globally, upgrading to pnpm 10, and enabling branch protection across all repositories. Despite the attack's impact, the company's internal infrastructure remained uncompromised, and no unauthorized access to customer repositories was detected, thanks to proactive measures and quick response.