Security Breach: Shai-Hulud Compromises Developer Machine and GitHub Access

On November 25th, 2025, Shai-Hulud 2.0, a sophisticated npm supply chain worm, compromised a developer machine in a routine debugging session at Trigger.dev. The incident began when an engineer installed a compromised package, leading to credential theft and unauthorized access to the organization’s GitHub accounts.

Over a period of 17 hours, the attacker executed reconnaissance activities, cloning 669 repositories, including critical infrastructure code, before launching a destructive attack that closed 42 pull requests and force-pushed changes across 16 repositories in a span of 10 minutes.

The attack was detected shortly after it began, allowing the team to revoke access and recover all affected branches within 7 hours. Throughout the incident, it was confirmed that no npm packages from Trigger.dev were compromised, and the organization had implemented several security measures post-incident, including disabling npm scripts and switching to OIDC for npm publishing to mitigate future risks.

The report details the specific timeline of events, including the exact times of malicious activity and the methods used by the attacker, such as using TruffleHog for credential theft and creating empty GitHub repositories to store stolen data.

Following the attack, Trigger.dev took immediate action to secure their GitHub organization and communicate with potentially affected customers, emphasizing the need for robust security practices in software development environments.

This incident serves as a critical reminder of the vulnerabilities that can affect GitHub organizations and the ongoing challenges within the JavaScript ecosystem.