Notice Regarding Ongoing npm Supply-Chain Attack (Shai-Hulud 2.0)

[remarkov]

We want to inform you about an ongoing npm supply-chain attack known as “Shai-Hulud 2.0”, in which attackers published compromised versions of popular packages. These packages include malicious install scripts designed to exfiltrate secrets such as API tokens, cloud credentials, and CI/CD access keys.

Recommended user actions

Please take the following precautions as soon as possible:

1. Review your dependencies and ensure that no compromised npm packages were installed, especially versions published after November 21st.
2. Rotate all potentially exposed secrets, including:

• CI/CD tokens
• Git provider tokens
• Cloud access keys (AWS/GCP/Azure)
• Any other sensitive environment variables used during builds

3. Rebuild with a clean environment, removing any cached artifacts or node_modules directories in your repositories.
4. Inspect your repositories for:

• Unexpected branches
• Unknown GitHub Actions workflows
• Any suspicious commits or automation files

Actions we are taking

To help protect all users, we will proactively delete all cached artifacts created after 20 November as the known start date of the attack activity is 21 November.

We will continue monitoring the situation closely and update you if new information becomes available. If you have any concerns or need assistance, please reach out to our support team.