🎄 Join our Annual Holiday wargame and win prizes!


Shai Hulud Incident DevSecOps Training Challenge

28/11/2025

Shai Hulud Training Challenge

In Novermber 2025, JavaScript ecosystem has just gone through one of the largest npm supply-chain compromises in years: the Shai Hulud v2 campaign. More than 500 packages were affected, with several major open-source organisations impacted.

Because this incident touches CI/CD security, trusted publishing, dependency hygiene, and cross-ecosystem distribution, we’ve published a new DevSecOps training challenge inspired by the real incident. It’s available for free for a limited time in our Weekly Incident game. The challenge is also added our Incident Response catalog.

What Happened in Shai Hulud v2

CI/CD Abuse at PostHog (Initial Access)

On November 26, 2025, PostHog published a detailed postmortem showing how one of their GitHub Actions workflows was abused.
The attacker briefly opened a pull request that tweaked a script run through pull_request_target, allowing them to extract a CI bot’s personal access token. That access was then used to pull additional GitHub secrets, including an npm publish token, and push malicious versions of several PostHog SDKs.

PostHog revoked the exposed credentials, conducted a strict workflow review, and reworked how secrets are managed. Their write-up shows how small workflow design choices can expose release credentials through untrusted pull requests.

Spillover From npm to Maven

The attack was not limited to npm.
A Maven Central artifact (org.mvnpm:posthog-node:4.18.1) was found to contain the same Bun-based payload (bun_environment.js) and preinstall loader (setup_bun.js) used in the npm campaign.

Maven Central later confirmed this package was produced automatically via mvnpm, which mirrors npm packages into Maven coordinates. They have since removed the compromised version and added measures to stop mirrored npm malware from reappearing.

Compromised npm Packages

Packages from @zapier, @asyncapi, @postman, @posthog, and @ensdomains were modified after the compromise. The attacker added:

  • A preinstall script in package.json
  • A loader (setup_bun.js) that installs or locates Bun
  • A 10MB obfuscated payload (bun_environment.js) that executes silently

To learn more about this incident and its technical breakdown see https://socket.dev/blog/shai-hulud-strikes-again-v2 .

New Challenge: Shai Hulud

Our Shai Hulud challenge is a simulation of this incident. It has a snapshot of a repository that is infected by the worm. Your objective is to review the repository and logs to identify indicator of compromise (IoC).

The challenge helps you to better learn where to look for and what to do to mitigate this incident. You try the challenge in our:

:backhand_index_pointing_right: Weekly Incident (limited time): https://play.secdim.com/game/weekly-incident
:backhand_index_pointing_right: Incident Response catalog: https://play.secdim.com/game/incident-response

… And remember to run the app (make run). There is a surprise for you there.

image

Deco line
Deco line

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now
Deco line
Deco line

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.

Read more