THREAT OPS › Threat News › Graph the Planet: Shai-Hulud 2.0
Graph the Planet: Shai-Hulud 2.0
<p class="wp-block-paragraph"><em><strong>TL;DR: </strong>This blog looks at the Shai-Hulud 2.0 worm through an Attack Path Management lens. I also introduce <a href="https://github.com/C0KERNEL/NPMHound">NPMHound </a>which can be used to visualize NPM package dependencies in BloodHound OpenGraph.</em></p>
<h2 class="wp-block-heading" id="h-introduction">Introduction</h2>
<p class="wp-block-
MITRE ATT&CK techniques
- CredentialsT1589.001
Indicators of compromise
- https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortemurl
- https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attackurl
- https://semver.npmjs.com/url
- http://registry.npmjs.orgurl
- https://docs.npmjs.com/trusted-publishers#security-best-practicesurl
- https://www.sysdig.com/blog/return-of-the-shai-hulud-worm-affects-over-25-000-github-repositoriesurl
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attackurl
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomainsurl
- https://www.tenable.com/blog/faq-about-sha1-hulud-2-0-the-second-coming-of-the-npm-supply-chain-campaignurl
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtimeurl
- https://corridor.dev/shai-checkurl
- https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24url
- https://socket.dev/blog/shai-hulud-strikes-again-v2url