Inside ShaiHulud 2.0: The Supply-Chain Worm That Read Your Secrets cover art

Inside ShaiHulud 2.0: The Supply-Chain Worm That Read Your Secrets

Inside ShaiHulud 2.0: The Supply-Chain Worm That Read Your Secrets

Listen for free

View show details

About this listen

In this episode, I sit down with Charlie Eriksen, the researcher who uncovered the Shai Hulud 2.0 campaign, for a deep dive into one of the wildest supply-chain attacks we’ve seen. What began as a strange detection quickly unraveled into a worm that spread across npm, GitHub, and even a compromised Open VSX extension.

“Patient Zero” was AsyncAPI, where the attackers exploited a subtle GitHub Actions flaw that let them run malicious code inside the org’s own CI pipelines without their pull request ever being merged. Unmerged PR → full RCE → stolen org-level credentials.

From there, the worm propagated through packages, harvested secrets with TruffleHog, dumped them into tens of thousands of GitHub repos, and, most shockingly, contained a wiper mode that deleted a victim’s entire home directory if it couldn’t create new repos.

It’s a fascinating and slightly terrifying look at how modern supply-chain attacks actually work under the hood. Give it a listen.
No reviews yet
In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.