Shai-Hulud secrets leak on GitHub
Data Leak
Summary
Hide ▲
Show ▼
The Shai-Hulud supply-chain malware leak exposed developer and CI/CD secrets on GitHub, creating immediate reuse risk for credentials taken from compromised development workflows. The second attack last week infected hundreds of NPM packages, published stolen data in 30,000 GitHub repositories, and exposed around 400,000 raw secrets. Wiz said more than 60% of leaked NPM tokens were still valid as of December 1st, and the malware also included a home-directory wipe under certain conditions.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Developers' AI provider API keys exfiltrated via malicious JetBrains plugins
Data Leak
H score12
First: 17.06.2026 12:10
Last: 17.06.2026 12:10
Sources 1
About this happening:
Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...
Developers' AI provider API keys exfiltrated via malicious JetBrains plugins
Data LeakAbout this happening: Developers' **AI provider API keys** were **exfiltrated** through malicious **JetBrains Marketplace** plugins, exposing credentials from a broad user base and risking unauthorized...
Miasma source code leak on GitHub
Data Leak
H score32
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...
Miasma source code leak on GitHub
Data LeakAbout this happening: The **Miasma source code** was **briefly leaked on GitHub**, exposing malware framework code that could be copied, studied, and modified by other threat actors. The exposure repor...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Timeline
-
24.11.2025 16:32 3 articles · 7mo ago
Shai-Hulud npm campaign leaks secrets on GitHub
Initial DisclosureShai-Hulud planted trojanized npm packages impersonating Zapier, ENS Domains, PostHog, and Postman to steal developer and CI/CD secrets, then published the stolen data on GitHub in encoded form through attacker-controlled repositories. Researchers linked the operation to compromised maintainer accounts, about 350 unique maintainer accounts, and malicious payloads that run during the pre-install stage, including setup_bun.js and bun_environment.js.
Show sources
- Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub — www.bleepingcomputer.com — 24.11.2025 16:32
- Shai-Hulud v2 Campaign Spreads From npm to Maven, Exposing Thousands of Secrets — thehackernews.com — 26.11.2025 20:08
- Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets — www.bleepingcomputer.com — 02.12.2025 21:06