The Shai-Hulud 2.0 supply chain campaign represents a highly consequential compromise within the cloud-native ecosystem, involving hundreds of npm packages that have been trojanized to execute malicious code during the preinstall phase, bypassing conventional security checks. Threat actors gained control of legitimate maintainer accounts from widely used projects (such as Zapier, PostHog, and Postman) to embed scripts that install a secondary runtime and tools like TruffleHog to harvest and exfiltrate developer, CI/CD, and cloud credentials to attacker-controlled repositories. Compromised credentials significantly elevate risk, enabling lateral movement across cloud workloads and undermining defenses that rely solely on static analysis or dependency scanning.

Microsoft’s guidance emphasizes defense-in-depth strategies that leverage integrated telemetry and advanced detection across endpoints, containers, and runtime environments, underscoring the limitations of traditional network-centric tools against supply chain-borne threats. Key defensive actions include correlating signals across build systems and cloud resources, rotating and revoking exposed credentials, isolating affected CI/CD agents, and prioritizing attack-path reduction by tightening roles and permissions associated with pipeline identities. Additional recommendations include using dedicated alerts for campaign indicators, verifying commit signatures to counter impersonation tactics, and avoiding the deployment of compromised packages in production workloads.

‍

Source: https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/