In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours. The malware behaves like a worm, automatically harvesting credentials and cloud secrets, and spreading to new npm accounts. It uses GitHub Actions as a persistent backdoor and creates public repositories for exfiltration. The attack represents a significant escalation in supply-chain attack sophistication, affecting major projects and organizations, and resulting in tens of thousands of attacker-created GitHub repositories.