惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

酷 壳 – CoolShell
酷 壳 – CoolShell
GbyAI
GbyAI
SecWiki News
SecWiki News
Project Zero
Project Zero
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy International News Feed
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
A
Arctic Wolf
Security Latest
Security Latest
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog
Apple Machine Learning Research
Apple Machine Learning Research
T
Tailwind CSS Blog
The Hacker News
The Hacker News
T
Tenable Blog
雷峰网
雷峰网
有赞技术团队
有赞技术团队
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threat Research - Cisco Blogs
T
Threatpost
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
Application and Cybersecurity Blog
Application and Cybersecurity Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
SegmentFault 最新的问题
月光博客
月光博客
Spread Privacy
Spread Privacy
S
Secure Thoughts
宝玉的分享
宝玉的分享
博客园 - 三生石上(FineUI控件)
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
The Last Watchdog
The Last Watchdog
Y
Y Combinator Blog
I
Intezer
博客园 - 【当耐特】
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
I
InfoQ
博客园 - 叶小钗
Cyberwarzone
Cyberwarzone
V2EX - 技术
V2EX - 技术
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Hugging Face - Blog
Hugging Face - Blog
H
Help Net Security
C
CERT Recently Published Vulnerability Notes

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities
2025-11-25 · via Aikido Security's Blog

Only a day has passed since the second Shai Hulud supply-chain attack rippled across the ecosystem, and new users and organizations are still being compromised every hour. As we sift through the fallout, we are beginning to uncover the initial infection vector the attackers used to compromise major projects like AsyncAPI, PostHog, and Postman, and it is becoming clear that we have not seen the full extent of this campaign yet. By exploiting subtle but powerful vulnerabilities in GitHub Actions workflows, the attackers demonstrated a troubling evolution in their delivery methods. This is a strong reminder that our defenses must evolve just as quickly and that the security of the open-source ecosystem depends on continuously hardening the infrastructure we often take for granted.

Timeline of the Shai-Hulud Campaign

  • August 27 - We release our report detailing the S1ngularity campaign targeting several nx packages on npm.  
  • September 16 - The attacker strikes again, launching the first wave of the Shai-Hulud attacks.  
  • September 18 - We publish a follow-up analysis, diving deeper into the campaign’s technical quirks and early payload behavior.  
  • November 24 - A second strike occurs, dubbed the “Second Coming” by the attackers, timed just before npm’s deadline for revoking old tokens.
  • November 25 - We uncover the attackers’ initial entry vector through vulnerable GitHub Actions workflows in projects like AsyncAPI, PostHog, and Postman.

A quick refresher

Ever since the Nx breach and the Shai Hulud attack, we have known that the attacker has been abusing GitHub Actions workflows to exfiltrate data through webhook.site links. In earlier incidents, the method was straightforward. The attacker planted a deliberate backdoor inside a workflow file, and that backdoor quietly transmitted sensitive information, including credentials, back to an attacker-controlled endpoint.

What we are seeing in the latest wave of the Shai Hulud campaign is more advanced. Instead of inserting backdoors directly, the attackers are now exploiting vulnerabilities in existing GitHub Actions workflows to execute their attack. This shift in technique is what allowed them to compromise projects like AsyncAPI, PostHog, and Postman in yesterday’s Shai-Hulud attack.

Our investigation began when we noticed several suspicious uploads to NPM tied to unexpected usernames such as “codespace” and “runner.” These uploads immediately stood out as anomalies, and deeper analysis showed that they were all likely seeded manually by the attacker through GitHub Actions exploitation. We were later notified by a third party about a related malicious OpenVSX extension with a similar pattern. This discovery confirmed that the attackers have evolved their methods and are now leveraging CI misconfigurations as part of their intrusion chain.

How the attacker used GitHub Actions Vulnerabilities

GitHub Actions workflows are automated scripts that run inside a repository to handle tasks such as testing, building, publishing, or managing pull requests. They are powerful and flexible, but that power comes with risk, especially when workflows are configured without a full understanding of how they execute untrusted code.

Certain workflow triggers, including pull_request_target and workflow_run, can become dangerous when misconfigured. This is exactly what happened in the case of PostHog, as shown in the screenshot. The issue was first brought to broader attention by Adnan Khan, a security researcher who highlighted the vulnerable workflow in an X post. The attack was likely caused by a vulnerability inside the .github/workflows/auto-assign-reviewers.yml workflow. That file used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run. The vulnerability was first introduced on September 11 2025 through a merged pull request, where it remained available until the Shai Hulud attack. In total, the issue was present for 74 days before the attacker exploited it.

A similar pattern appears in the AsyncAPI repository. We found that their .github/workflows/auto-changeset.yml file contained a vulnerable configuration added on September 9 2025. The AsyncAPI team has since removed the file following our recommendation, but the configuration was available long enough for the attacker to include this project in the campaign.

It is worth noting that one of these projects was already using a PR-scanning tool, yet it still failed to detect the vulnerabilities hidden within the GitHub Actions workflows. In the case of PostHog, GitHub warned about the vulnerability, but that warning went unaddressed. This highlights the need for security tooling that can understand and flag issues across a wide range of systems and languages, including CI configuration vulnerabilities. Once an attacker identifies an exploitable workflow in a project, that single weakness can serve as a foothold for an attack that spreads at a scale we have not seen before, as demonstrated by the Shai Hulud worm.

What you should know and actions to take

As these threats continue to evolve, it becomes increasingly important to understand how vulnerabilities in GitHub Actions workflows can expose not just your own project, but every project and user connected to it. A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day. Developers can only defend against what they know, so awareness of dangerous workflow patterns such as pull_request_target and workflow_run is essential. Another option is to use a security platform like Aikido that automatically scans repositories and incoming pull requests for these types of vulnerabilities.

It is equally important to remain aware of vulnerabilities in the dependencies you install. Even if your own workflows are secure, compromised packages upstream can still introduce risk. This is where Aikido’s SCA capabilities, Intel Vulnerability Database, and Package Health insights are especially useful, helping teams catch issues early and understand whether the libraries they rely on show signs of compromise or suspicious activity.

Finally, having a tool that can stop malware in real time as it appears can prevent a serious infection. This is the idea behind Aikido Safe Chain, a free tool that wraps around npm and uses both AI and human malware researchers to detect and block the latest supply chain risks before they enter your environment.