A major expansion of the self-propagating Shai-Hulud cyberattack aimed at popular node package managers (npms) used by JavaScript application developers is creating a major headache for DevSecOps teams around the globe.

Based on what is being described as the “Second Coming” of Shai-Hulud, this version affects a much wider range of npms and is much more difficult to detect, according to security researchers at Checkmarx.

Popular projects from Zapier, ENS Domains, PostHog, and Postman were affected. According to security researchers from Wiz, 27% of cloud and code environments are affected. The attack is accelerating across roughly 1,000 new repos every 30 minutes, they added.

Security researchers at JFrog, meanwhile, said the final payload, similar to the first Shai-Hulud attack, is a self-propagating worm that steals user secrets, uploads them to a public GitHub repository, and repacks itself with malware into all of the available npm packages.

Guy Korolevski, security researcher at JFrog, said it’s not clear what the ultimate objective is, but DevSecOps teams are being advised to replace all the tokens used to access code repositories.

The GitHub repositories affected are now harder to detect because they now have randomized names. Payload deployment and execution now also occurs across two-stages. Additionally, the infection limit is 100 npm packages per execution, which makes propagation faster when users with credentialed access to large numbers of packages are compromised.

A failure to authenticate to GitHub or npm with acquired credentials triggers a wipe of the HOME directory of the user, which will cause build failures in continuous integration/continuous deployment (CI/CD) platforms.

The one thing that is almost certain is that the Second Coming of Shai-Hulud is not the last of these types of attacks against software supply chains. DevSecOps teams, as a result, will need to revisit best security practices for software development. Arguably, existing processes are simply unsustainable from an application security perspective.

Mitch Ashley, vice president and practice lead for software lifecycle engineering at the Futurum Group, said Shai-Hulud exposes how unprotected the JavaScript supply chain has become. Modern software pipelines depend on ecosystems like npm, which means trust in dependencies must be treated as a core part of engineering practice, he added.

Secure sourcing, automated credential rotation, and continuous monitoring of developer components and pipelines are essential, noted Ashley. Shai-Hulud is a warning that software security efforts must focus on the development lifecycle, not just the production environment. Software supply chain security is not optional, he said.

The challenge, of course, is that in the age of artificial intelligence (AI) the pace at which code is being developed is exponentially increasing, which increases the number of repositories that need to be secured against attacks based on self-propagating worms.

In the meantime, however, looking for indicators of Shai-Hulud compromise is likely to require a significant amount of effort. Hopefully, there will soon be tools that help automate that process but in the short term at least DevSecOps engineers have their work cut out for them.