Shai-Hulud 2.0: A Major November Incident 

The biggest story of the month was the rebirth of the Shai-Hulud campaign – now widely referred to as Shai-Hulud 2.0. 

Originally seen in September 2025, the attack returned in November with an increased scope: 

• Dozens of npm maintainer accounts were compromised. 
• Trojanized packages spread through preinstall scripts, allowing automatic execution during installation. 
• Thousands of GitHub repositories were impacted, with many leaking tokens, cloud keys, and CI/CD credentials. 
• Some variants included destructive behaviors, wiping developer environments if data theft failed. 

The November wave showed just how quickly supply-chain attacks can evolve. What started two months earlier as a targeted credential-harvesting campaign matured into a worm-like ecosystem attack affecting developers and organizations worldwide. 

What Else Happened in November 2025? 

1. IncreasedTargeting of Identity Infrastructure 

Multiple incident reports highlighted attacks on: 

• authentication proxies 
• IAM synchronization tools 
• identity-as-a-service platforms 

Attackers shifted toward stealing or forging tokens rather than brute-forcing credentials. 

2. RansomwareRemains Active 

Ransomware groups continued operations, focusing heavily on manufacturing, logistics, and healthcare. However, the month’s activity was relatively “routine” compared to the supply-chain chaos – a rare moment where ransomware wasn’t the top headline. 

Key Takeaways 

• Supply-chain security is now foundational, not optional. The November Shai-Hulud wave demonstrated that compromising a few maintainers or build pipelines can cascade into tens of thousands of downstream systems. 
• Credentials are the prime target – not encryption, not destruction. Persistent access is more valuable. 
• More attacks targeting CI runners, build pipelines, and package-signing keys. 
• Threat actors experimenting with automated propagation – treating supply chains as high-efficiency distribution channels. 

Looking Ahead 

Organizations should prioritize: 

• Dependency integrity controls and package-source verification 
• Secret rotation and hardened CI/CD environments 
• Monitoring for anomalous identity and cloud activity 
• Minimizing automated script execution in install processes 

November 2025 showed that the cybersecurity landscape is shifting: attackers are going upstream, implanting themselves into the tools and ecosystems that modern software depends on. Strengthening the supply chain will be essential going into 2026. 

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.