Shai-Hulud v2: The "Second Coming" of the npm Worm

The Worm Returns (And It Brought Upgrades)

In September, we covered the Shai-Hulud worm, a self-replicating attack that exposed just how fragile the npm supply chain can be. But as we know, successful malware rarely stays static. Late November marked the arrival of Shai-Hulud v2, or as its authors rather dramatically titled it, “The Second Coming”.

This isn’t just a rerun; it’s a remaster. The new iteration is stealthier, more aggressive, and significantly more dangerous. While v1 was a wake-up call, v2 is a fire drill.

Here is what has changed and how you can use Bytesafe to protect your development lifecycle against it (and similar threats).

What Makes v2 Dangerous?

Like the original, v2 is a supply chain worm designed to steal credentials (AWS, GitHub, npm tokens) and use them to republish itself to other packages you maintain. However, the mechanism has evolved:

• Preinstall vs. Postinstall: While v1 politely waited for the postinstall phase, v2 is impatient. It executes during preinstall. This means the malicious code runs before the package even finishes installing. Even if the installation fails halfway through, the payload has likely already executed.

• Switching from Node.js to Bun: The malware now attempts to install the Bun runtime (setup_bun.js) and uses it to execute the actual payload. Bun is a newer, high-performance all-in-one JavaScript runtime designed to be a faster replacement for Node.js. By running inside Bun instead of Node.js, the attackers are hoping to slip past security tools that are strictly monitoring Node processes.

• A “Dead Man’s Switch” (The Temper Tantrum): Most malware tries to stay hidden if it fails. This one gets angry. If the worm cannot steal your credentials or connect to its server, it tries to delete your files instead. It is essentially a temper tantrum. Think of it like a sore loser flipping the Monopoly board over just because they are losing the game.

The Core Problem: Lifecycle Scripts

The common denominator between v1, v2, and countless other npm attacks is the install script.

We often treat npm install as a boring, benign administrative command. In reality, it is a Remote Code Execution (RCE) trigger. By default, npm allows packages to run arbitrary scripts on your machine or CI/CD runner. Shai-Hulud simply exploits this trust to turn a routine dependency update into a breach.

Defending Against the Worm with Bytesafe

Individual developers can try to remember to run npm install --ignore-scripts, but good luck scaling that across dozens of teams and CI pipelines. Bytesafe allows you to enforce these protections centrally at the firewall level.

1. Block Install Scripts (The Real Kill Switch)

The most effective defense against Shai-Hulud is preventing the script from running in the first place.

Using Bytesafe’s Block Install Scripts policy, you can block packages with these scripts before they reach your developers or build servers. If a package (like the infected versions of eslint-scope) has install scripts (pre or post), Bytesafe intervenes.

2. The Delay Upstream Policy

Shai-Hulud spreads by publishing new patch versions of infected packages.

• The Trap: Your CI pipeline sees a “fresh” version (e.g., 1.0.1 -> 1.0.2) and pulls it immediately.
• The Fix: Bytesafe’s Delay Upstream Policy.

By configuring a delay (e.g., “Block packages released in the last 7 days”), you effectively quarantine new releases. This “cooling-off” period gives security researchers and the npm administration time to identify and remove malicious versions before they ever enter your environment.

3. Automated Quarantine

When a vulnerability is officially confirmed, time is of the essence. Bytesafe’s Vulnerability Quarantine automatically blocks access to packages as soon as they are flagged by vulnerability feeds.

While the Delay Policy handles the “unknown unknowns,” the Quarantine Policy ensures that once a package is known to be infected, it is instantly revoked for your entire organization.

Understand how Bytesafe works - Get an introduction

Take a quick tour with our team and see how easy it is to set up a firewall that blocks malicious scripts before they ever run.

👉 Want a guided tour? Schedule a product introduction.

👉 Ready to get started? Sign up for a free trial.