Cross icon
Test your LLM for oversharing! Test for real-world oversharing risks with role-specific prompts that mimic real workplace questions. FREE - Start Now
protect icon

A new era requires a new set of solutions
Knostic delivers it

Skip to main content
Assess Your Copilot
Skip to main content
Get a Demo
Skip to main content
Book a Demo

Shai-Hulud 2.0: Your IDE is Your New Attack Surface

Knostic Team
by Knostic Team
26 November 2025
3 mins read

Contents

It was Monday morning, November 24th, 2025. Charlie, a security researcher, sat down with his coffee and saw a cascade of alerts. "Yikes, surely that's a false positive?" he thought. It wasn't. Within hours, over 640 npm packages with 132 million monthly downloads were compromised. Major organizations like Zapier, PostHog, Postman, AsyncAPI, and ENS Domains fell victim to what security researchers are calling the most sophisticated supply chain attack of 2025.

This wasn't just another breach.

The Worm That Changed Everything

Shai-Hulud 2.0, named after the sandworms in Frank Herbert's Dune, represents a fundamental shift in software supply chain threats. Unlike traditional malware that simply infects systems, this is a true worm: self-replicating, autonomous, and devastatingly effective. The attack created over 25,000 malicious GitHub repositories, with 1,000 new repos appearing every 30 minutes at its peak.

The evolution timeline tells the story:

  • August 2025: The S1ngularity attack targeted Nx packages

  • September 2025: The first Shai-Hulud wave compromised 180+ packages and stole $50 million in cryptocurrency

  • November 21-24, 2025: "The Second Coming" struck with unprecedented scale and sophistication

What makes this attack terrifying isn't just its scale. It's the intelligence behind it. The worm can now infect up to 100 npm packages per victim (compared to 20 in September), includes a persistent backdoor via self-hosted GitHub Actions runners, and if it can't propagate, it wipes the victim's home directory entirely.

As Florian Roth, Head of Research at Nextron Systems, observed: "We used to fight worms on the OS level. Slammer, Blaster, Conficker... Now we get the same behaviour one layer up, inside the software ecosystems we trust every day."

Anatomy of a Modern Threat

The technical sophistication of Shai-Hulud 2.0 is remarkable. Researchers have documented how the attack uses a two-stage payload: setup_bun.js installs the Bun runtime (an intentional evasion technique since most security tools monitor Node.js, not Bun), then executes bun_environment.js, a heavily obfuscated 10MB payload.

The critical innovation here is preinstall execution. Unlike previous attacks that ran after installation, this malware executes during the preinstall phase before dependencies even resolve. This dramatically expands the attack surface across developer machines and CI/CD pipelines.

Once active, the malware:

  1. Scans for credentials using TruffleHog (a legitimate security tool, weaponized)

  2. Harvests GitHub tokens, npm tokens, AWS, GCP, and Azure credentials

  3. Exfiltrates data to GitHub repositories with the description "Sha1-Hulud: The Second Coming"

  4. Enumerates all packages the victim can publish

  5. Automatically injects malicious code and republishes up to 100 packages

  6. Installs persistent backdoors via GitHub Actions runners

Each victim becomes Patient Zero for the next wave. As Snyk documented, this creates a network effect where compromised accounts provide access to dozens or hundreds of other accounts, significantly extending the malware's operational lifetime.

The Uncomfortable Truth

The Shai-Hulud attack exposes an uncomfortable reality: your IDE is now your most vulnerable perimeter.

Traditional security (firewalls, EDR, SIEM systems) focuses on production environments. Cloud security has matured with CSPM and CWPP solutions. But developer environments? Wide open. As CISA noted in their official alert, this represents a fundamental blindspot in enterprise security architecture.

The numbers are staggering. Wiz's analysis showed that compromised packages like @postman/tunnel-agent exist in 27% of cloud environments, while posthog-node appears in 25%. When AsyncAPI's packages were trojaned, they affected roughly 20% of scanned environments.

Why did traditional defenses fail?

  • Trust-based ecosystem: npm relies on maintainer reputation

  • Automated workflows: npm install runs without scrutiny in CI/CD

  • No visibility: Package managers operate in a security blindspot

  • Preinstall execution: Malware runs before installation completes. No sandbox, no isolation

The timing was strategic too. Attackers struck just before npm's December 9th deadline to revoke classic tokens, exploiting the window where many developers hadn't migrated to trusted publishing. Combined with the Thanksgiving weekend in the US, when security teams were understaffed, the attack achieved maximum impact with minimal detection.

Defense Requires a Paradigm Shift

The Shai-Hulud attacks prove that the npm install trust model is fundamentally broken. According to CrowdStrike's analysis, package ecosystems have become execution surfaces that "nobody monitors, nobody hardens, and attackers don't even need an exploit to make them go wild."

Immediate actions are clear: search GitHub for "Sha1-Hulud: The Second Coming" repositories, roll back to pre-November 21 package versions, rotate all credentials, and audit for unauthorized GitHub Actions workflows. But these are reactive measures.

The real solution requires shifting security all the way left, into the IDE itself. Traditional approaches scan production deployments after packages are installed. By then, it's too late. Preinstall scripts have already been executed, credentials have been harvested, and the worm has propagated.

This is why we built Kirin.

Kirin integrates directly into IDEs like Cursor, scanning packages in real-time before installation. It detects malicious patterns like suspicious preinstall scripts, obfuscated payloads, unauthorized network calls, and credential scanning tools, and blocks them at the point of entry. If Shai-Hulud can't execute at install time, it can't propagate.

The attack surface has shifted. Worms are back, but now they're living in our package managers. The open source ecosystem that powers modern development needs defenders at every layer, especially at the layer developers interact with most: their IDE.

The Question Every CISO Should Ask

After Shai-Hulud compromised 800+ packages in one weekend, exposed 25,000+ repositories, and affected 132 million monthly downloads, the question isn't whether your development environment will be targeted. The question is whether you'll be ready when it happens.

Your IDE is either protected, or it's compromised.

Learn how Kirin provides real-time protection against supply chain attacks at the IDE level. Because by the time malicious code reaches production, you've already lost.

What’s Next

If this attack caught your attention, you’ll want to read our latest deep dive: MCP Hijacking of Cursor’s New Browser, a look at how extension-level attacks are evolving beyond NPM. And if you’re ready to protect your team before the next wave hits, start today at GetKirin.com.

Data Leakage Detection and Response for Enterprise AI Search

Learn how to assess and remediate LLM data exposure via Copilot, Glean and other AI Chatbots with Knostic.

Get Access

Mask group-Oct-30-2025-05-23-49-8537-PM

The Data Governance Gap in Enterprise AI

See why traditional controls fall short for LLMs, and learn how to build policies that keep AI compliant and secure.

Download the Whitepaper

data-governance

Rethinking Cyber Defense for the Age of AI

Learn how Sounil Yu’s Cyber Defense Matrix helps teams map new AI risks, controls, and readiness strategies for modern enterprises.

Get the Book

Cyber Defence Matrix - cover

Extend Microsoft Purview for AI Readiness

See how Knostic strengthens Purview by detecting overshared data, enforcing need-to-know access, and locking down AI-driven exposure.

Download the Brief

copilot-img

Build Trust and Security into Enterprise AI

Explore how Knostic aligns with Gartner’s AI TRiSM framework to manage trust, risk, and security across AI deployments.

Read the Brief

miniature-4-min

Real Prompts. Real Risks. Real Lessons.

A creative look at real-world prompt interactions that reveal how sensitive data can slip through AI conversations.

Get the Novella

novella-book-icon

Stop AI Data Leaks Before They Spread

Learn how Knostic detects and remediates oversharing across copilots and search tools, protecting sensitive data in real time.

Download the Brief

LLM-Data-min

Accelerate Copilot Rollouts with Confidence

Equip your clients to adopt Copilot faster with Knostic's AI security layer, boosting trust, compliance, and ROI.

Get the One-Pager

cover 1

Reveal Oversharing Before It Becomes a Breach

See how Knostic detects sensitive data exposure across copilots and search, before compliance and privacy risks emerge.

View the One-Pager

cover 1

Unlock AI Productivity Without Losing Control

Learn how Knostic helps teams harness AI assistants while keeping sensitive and regulated data protected.

Download the Brief

safely-unlock-book-img

Balancing Innovation and Risk in AI Adoption

A research-driven overview of LLM use cases and the security, privacy, and governance gaps enterprises must address.

Read the Study

mockup

Secure Your AI Coding Environment

Discover how Kirin prevents unsafe extensions, misconfigured IDE servers, and risky agent behavior from disrupting your business.

Get the One-Pager

cover 1

Tags:

AI data security
bg-shape-download

See How to Secure and Enable AI in Your Enterprise

Knostic provides AI-native security and governance across copilots, agents, and enterprise data. Discover risks, enforce guardrails, and enable innovation without compromise.

Request a Demo
195 1-min

Related Articles

AI Coding Assistants are Leaking Secrets: The Hidden Risk in your IDE
AI Coding Assistants are Leaking Secrets: The Hidden Risk in your IDE
26 November 2025
AI Data Poisoning: Threats, Examples, and Prevention
AI Data Poisoning: Threats, Examples, and Prevention
24 November 2025
AI Usage Control (AI-UC): How to Prevent AI Misuse
AI Usage Control (AI-UC): How to Prevent AI Misuse
19 November 2025
Building an AI Data Security Strategy From Scratch
Building an AI Data Security Strategy From Scratch
17 November 2025
background for career

What’s next?

Want to solve oversharing in your enterprise AI search? Let's talk.

Knostic offers the most comprehensively holistic and impartial solution for enterprise AI search.

Schedule a demo arrow icon
protect icon

Knostic leads the unbiased need-to-know based access controls space, enabling enterprises to safely adopt AI.

knostic logo white

United States
205 Van Buren St,
Herndon, VA 20170

Become Our Partner

Log in arrow icon Apply now

Free Tools

Industry Solutions

Policies and Legal

Resources

Departments

Roles

Schedule a demo arrow icon
Schedule a demo arrow icon

EXPLORE KNOSTIC

Free Tools

Solutions by Department

Solutions by Role

Solutions by Industry

Resources

COMPANY

Become Our Partner

Log in arrow icon Apply now
Copyright © 2025. All rights reserved