A sophisticated malware campaign, codenamed Shai-Hulud v2, has successfully breached the Maven Central repository after initially targeting the npm package ecosystem. The cross-platform supply chain attack has resulted in the exfiltration and exposure of thousands of sensitive developer secrets.

From npm to the Java Ecosystem

Security analysts first identified the Shai-Hulud v2 operation targeting developers within the JavaScript community via malicious packages uploaded to the npm registry. The campaign has now evolved, with threat actors successfully publishing similarly compromised packages to Maven Central, the primary repository for the Java programming language. This expansion demonstrates a calculated effort to compromise a broader range of software development pipelines.

The attack vector relies on dependency confusion and typosquatting techniques. Malicious packages are published with names closely resembling popular, legitimate libraries, tricking automated build systems and developers into downloading and integrating the malware into their projects. Once installed, the malicious code executes during the software build process.

Large-Scale Secret Exfiltration Confirmed

The primary function of the Shai-Hulud v2 malware is to scan infected environments for sensitive information. The campaign has successfully harvested thousands of secrets from compromised developer machines and continuous integration/continuous deployment (CI/CD) systems. The exfiltrated data is sent to a remote command-and-control server operated by the attackers.

Analysis of the exposed data confirms the theft of API keys, database credentials, private cryptographic keys, and environment variables. These secrets provide access to critical cloud infrastructure, source code repositories, and other internal enterprise services. The scale of the exposure marks this as a significant software supply chain incident.

Source: https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html