Tools

Shai-hulud Compromised A Dev Machine And Raided Github Org Access:...

2025-12-14 0 views admin
Shai-hulud Compromised A Dev Machine And Raided Github Org Access:...

On November 25th, 2025, we were on a routine Slack huddle debugging a production issue when we noticed something strange: a PR in one of our internal repos was suddenly closed, showed zero changes, and had a single commit from... Linus Torvalds?

Within seconds, our #git Slack channel exploded with notifications. Dozens of force-pushes. PRs closing across multiple repositories. All attributed to one of our engineers.

We had been compromised by Shai-Hulud 2.0, a sophisticated npm supply chain worm that compromised over 500 packages, affected 25,000+ repositories, and spread across the JavaScript ecosystem. We weren't alone: PostHog, Zapier, AsyncAPI, Postman, and ENS were among those hit.

This is the complete story of what happened, how we responded, and what we've changed to prevent this from happening again.

No Trigger.dev packages were ever compromised. The @trigger.dev/* packages and trigger.dev CLI were never infected with Shai-Hulud malware. This incident involved one of our engineers installing a compromised package on their development machine, which led to credential theft and unauthorized access to our GitHub organization. Our published packages remained safe throughout.

On the evening of November 24th, around 20:27 UTC (9:27 PM local time in Germany), one of our engineers was experimenting with a new project. They ran a command that triggered pnpm install. At that moment, somewhere in the dependency tree, a malicious package executed.

We don't know exactly which package delivered the payload. The engineer was experimenting at the time and may have deleted the project directory as part of cleanup. By the time we investigated, we couldn't trace back to the specific package. The engineer checked their shell history and they'd only run install commands in our main trigger repo, cloud repo, and one experimental project.

This is one of the frustrating realities of these attacks: once the malware runs, identifying the source becomes extremely difficult. The package doesn't announce itself. The pnpm install completes successfully. Everything looks normal.

What we do know is that the Shai-Hulud malware ran a preinstall script that:

When the engineer later recovered files from their compromised laptop (booted in recovery mode), they found the telltale signs:

Source: HackerNews

🏷️ Tags

githubappprojectcliapi

More from Tools

Entering the Upside Down of Pivot Grid: A Stranger Things Data-Viz Tutorial

Entering the Upside Down of Pivot Grid: A Stranger Things Data-Viz Tutorial

2025-12-15 0
I Wasted 6 Weeks Building SaaS Boilerplate (Again). Here's What Finally Made Me Stop.

I Wasted 6 Weeks Building SaaS Boilerplate (Again). Here's What Finally Made Me Stop.

2025-12-15 0
Designing Difficulty Curves That Work in Browser Platformer Games

Designing Difficulty Curves That Work in Browser Platformer Games

2025-12-15 0
CNN vs Transformer – A Visual Comparison

CNN vs Transformer – A Visual Comparison

2025-12-15 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views