Last weekend, while most businesses were winding down for the week, a self-replicating worm called Shai-Hulud 2.0 tore through one of the world's largest software repositories. By Monday morning, security researchers had confirmed over 800 compromised packages in the npm registry — the same ecosystem that powers countless web applications, e-commerce platforms, and business tools your company likely depends on.
The affected packages include components from major projects like Zapier, Postman, and PostHog, with a combined download count exceeding 132 million per month. If your business runs any web-based applications, customer portals, or custom software built in the last decade, there's a reasonable chance infected code touched your systems.
Most business owners hear "npm" and assume it's a developer concern. That assumption is dangerous. npm (Node Package Manager) is the backbone of modern web development. Your company website, your customer-facing applications, your internal tools — many of these rely on hundreds or thousands of small software packages pulled from npm. Developers don't build everything from scratch; they assemble applications from trusted, pre-built components.
That trust is exactly what attackers exploited.
The Shai-Hulud 2.0 worm works by hijacking legitimate software packages and injecting malicious code that executes the moment a developer installs an update. Once active, the malware scans for credentials — GitHub tokens, AWS keys, Azure access, Google Cloud permissions — anything that grants access to your cloud infrastructure or code repositories. Attackers then use those stolen credentials to spread the infection further, turning each compromised developer into an unwitting distribution point.
The most alarming feature of this variant? If the worm can't find credentials to steal, it doesn't simply go quiet. It wipes the victim's entire home directory, destroying local files, configurations, and work in progress.
Even if your internal team doesn't write JavaScript code, you're not immune. Every SaaS tool you use, every third-party integration, every vendor application — these all have their own software dependencies. A supply chain attack doesn't require direct access to your systems. It requires access to anyone in the chain between the original code and your business operations.
This is why supply chain attacks have become the preferred method for sophisticated threat actors. Why attack a single target when you can poison the well that thousands of organizations drink from?
The September 2025 wave of this same attack compromised over 500 packages and exposed credentials from AWS, Google Cloud, Atlassian, and Datadog. Organizations that thought they were protected by perimeter security and endpoint detection found themselves breached through trusted software updates.
The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance within days of the attack's discovery, and the recommendations apply whether you have an in-house development team or rely entirely on third-party applications.
For businesses with development teams or custom applications:
Start by auditing your software dependencies. Security tools can scan your codebase for known compromised packages and flag vulnerable versions. Rotate all developer credentials immediately — GitHub tokens, cloud access keys, API credentials. Review your CI/CD pipelines for unauthorized changes, particularly any new workflow files that appeared in the last week.
For businesses relying on third-party software and SaaS tools:
Contact your vendors. Ask specifically whether they use any of the affected npm packages and what steps they've taken to verify their software supply chain. Reputable vendors should have answers ready. If they don't, that tells you something about their security maturity.
For all businesses:
This incident reinforces why credential management matters. Enforce multi-factor authentication everywhere. Implement the principle of least privilege — developers and applications should only have access to what they absolutely need. Consider whether your current security monitoring would detect unusual credential usage or unexpected data exfiltration.
Shai-Hulud 2.0 isn't an isolated incident. It's the second major wave of this specific attack in three months, and supply chain compromises have been accelerating across the software industry. Attackers have learned that targeting the tools developers trust yields far greater returns than attacking individual companies one at a time.
For small and mid-sized businesses, this creates a difficult reality. You benefit from the same powerful, flexible software that enterprises use — but you inherit the same supply chain risks without necessarily having the security resources to monitor them.
The businesses that weather these incidents best are the ones that treat software supply chain security as an ongoing concern rather than a one-time checkbox. They maintain relationships with security partners who track emerging threats and can help them respond quickly when attacks like Shai-Hulud surface.
If this incident has you questioning whether your current security posture accounts for supply chain risks, that's a conversation worth having sooner rather than later. The next wave won't wait for a convenient time.