{"id":8792,"date":"2025-11-28T10:03:47","date_gmt":"2025-11-28T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/28\/shai-hulud-2-0-compromises-1200-organizations-exposing-critical-runtime-secrets\/"},"modified":"2025-11-28T10:03:47","modified_gmt":"2025-11-28T10:03:47","slug":"shai-hulud-2-0-compromises-1200-organizations-exposing-critical-runtime-secrets","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/28\/shai-hulud-2-0-compromises-1200-organizations-exposing-critical-runtime-secrets\/","title":{"rendered":"Shai Hulud 2.0 Compromises 1,200+ Organizations, Exposing Critical Runtime Secrets"},"content":{"rendered":"<p>    Shai Hulud 2.0 Compromises 1,200+ Organizations, Exposing Critical Runtime Secrets<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The <a href=\"https:\/\/cybersecuritynews.com\/npm-supply-chain-ctrl-tinycolor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Shai Hulud 2.0<\/a> worm, first detected on November 24, 2025, has compromised nearly 1,200 organizations, including major banks, government bodies, and Fortune 500 technology firms.<\/p>\n<p>While initial reports described it as a simple npm supply chain attack that flooded GitHub with spam repositories, new analysis reveals a far more sophisticated operation. <\/p>\n<p>Entro Security researchers <a href=\"https:\/\/entro.security\/blog\/shai-hulud-2-0-banks-gov-tech-breach\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">observed<\/a> that the malware did not just create noise; it successfully exfiltrated sensitive runtime memory and credentials from deep within corporate <a href=\"https:\/\/cybersecuritynews.com\/ci-cd-pipeline-exploit\/\" target=\"_blank\" rel=\"noreferrer noopener\">CI\/CD pipelines<\/a>.<\/p>\n<p>Early analysis focused on the thousands of attacker-controlled GitHub repositories generated by the worm. However, researchers at Entro Security have confirmed that these repositories were merely the \u201ccollection layer\u201d for a much larger heist.<\/p>\n<p>The true damage occurred inside the victim environments, developer endpoints, cloud build servers, and self-hosted GitHub runners, where the malware executed payload scripts during the \u201cpreinstall\u201d phase of compromised npm packages.<\/p>\n<p>Instead of just scraping static files, Shai Hulud 2.0 captured full runtime environments. Entro Security analysis found that the generated artifacts, like environment.json, contained double-base64-encoded memory snapshots.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhRQUXJuyQUzdWm6itFOgbtq_frGeo7goWF1s4UWXSatpAYrEgxHCz7mDmOBFulqEvJQGQk89JBA9yHpuzYcKIq1Of082hHB8qEvmrAil8by6TQjTG0QYWvQEtlKZxQphTWr8F-IWuHDB3J9bfl3NMpriePzn0tXA9pagPdPqc3nHXYPtYvCRiJTplc2bYR\/w640-h376\/05%2520Research%2520Sample.webp?ssl=1\" alt=\"Shai Hulud 2.0 Double-encoded memory Snapshots\"><figcaption class=\"wp-element-caption\">Shai Hulud 2.0 Double-encoded memory Snapshots<\/figcaption><\/figure>\n<\/div>\n<p>These snapshots allowed attackers to reconstruct the exact state of compromised machines, granting them access to in-memory secrets that never appeared in code repositories.<\/p>\n<p>The scale of the compromise is staggering. Entro researchers identified 1,195 distinct organizations by analyzing email domains, internal hostnames, and tenant identifiers found in the exfiltrated data.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiqeBj_cymw1HPsuMxdh5qEmhUlIPm3K0m9BFX91dplXGgDEankQJXi76WlZ0hX3aD-5LXSaehHfYosWk_sDv7iGS3ydZdzZ_Ds7ul75OgwEDKzREjX-mmLjtO1cm-PfANJC3gE08ucBRCCT8jBvnRmRRpPlk7O7LW-j4Bpx3tlgzv1JGCihRcewdCI3olj\/w640-h402\/Shai%2520Hulud%25202%2520Verticals.webp?ssl=1\" alt=\"organizations Impacted\" style=\"width:640px;height:auto\"><figcaption class=\"wp-element-caption\">organizations Impacted (Credits: Entro)<\/figcaption><\/figure>\n<\/div>\n<p>Technology and SaaS companies suffered the most from the attack, representing over half of the identified victims.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Industry Sector<\/th>\n<th>Number of Compromised Orgs<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Technology \/ SaaS<\/strong><\/td>\n<td><strong>647<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Financial Services &amp; Banking<\/td>\n<td>53<\/td>\n<\/tr>\n<tr>\n<td>Healthcare<\/td>\n<td>38<\/td>\n<\/tr>\n<tr>\n<td>Insurance<\/td>\n<td>26<\/td>\n<\/tr>\n<tr>\n<td>Media<\/td>\n<td>21<\/td>\n<\/tr>\n<tr>\n<td>Telecom<\/td>\n<td>20<\/td>\n<\/tr>\n<tr>\n<td>Logistics<\/td>\n<td>15<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Two specific examples highlight the severity of the breach. The first involved one of the world\u2019s largest semiconductor companies, where a self-hosted GitHub Actions runner was compromised.<\/p>\n<p>The decoded memory dump exposed active <a href=\"https:\/\/cybersecuritynews.com\/identity-management-solutions\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub Personal Access Tokens<\/a> and internal hostnames, proving the attackers had valid entry points into the company\u2019s internal infrastructure.<\/p>\n<p>The second victim was a Tier-1 digital asset custody provider. In this case, the malware struck a GitLab CI pipeline. The exfiltrated data included live <a href=\"https:\/\/cybersecuritynews.com\/aws-key-hunter-free-automated-tool\/\" target=\"_blank\" rel=\"noreferrer noopener\">AWS secret keys<\/a>, blockchain production tokens, and Slack API keys.<\/p>\n<p>Critically, scans conducted on November 27, three days after the initial disclosure, revealed that some of these high-value credentials, including Google Cloud Service Account keys, were still valid and had not been revoked.<\/p>\n<p>The GitHub repositories associated with Shai Hulud 2.0 are being removed, but the stolen credentials remain in the attacker\u2019s hands. The campaign demonstrates that any environment where code is executed, whether a local laptop or a cloud-based CI runner, is a potential target for memory scraping.<\/p>\n<p>With valid secrets circulating days after the attack, organizations are urged to rotate all non-human identities and treat their runtime environments as fully compromised.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/shai-hulud-2-0\/\">Shai Hulud 2.0 Compromises 1,200+ Organizations, Exposing Critical Runtime Secrets<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/shai-hulud-2-0\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shai Hulud 2.0 Compromises 1,200+ Organizations, Exposing Critical Runtime Secrets The Shai Hulud 2.0 worm, first detected on November 24, 2025, has compromised nearly 1,200 organizations, including major banks, government bodies, and Fortune 500 technology firms. While initial reports described it as a simple npm supply chain attack that flooded GitHub with spam repositories, new [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-8792","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8792"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8792"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8792\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}