Bad Dependencies Podcast
Inside ShaiHulud 2.0: The Supply-Chain Worm That Read Your Secrets
27 Nov 2025
In this episode, I sit down with Charlie Eriksen, the researcher who uncovered the Shai Hulud 2.0 campaign, for a deep dive into one of the wildest supply-chain attacks we’ve seen. What began as a strange detection quickly unraveled into a worm that spread across npm, GitHub, and even a compromised Open VSX extension.“Patient Zero” was AsyncAPI, where the attackers exploited a subtle GitHub Actions flaw that let them run malicious code inside the org’s own CI pipelines without their pull request ever being merged. Unmerged PR → full RCE → stolen org-level credentials.From there, the worm propagated through packages, harvested secrets with TruffleHog, dumped them into tens of thousands of GitHub repos, and, most shockingly, contained a wiper mode that deleted a victim’s entire home directory if it couldn’t create new repos.It’s a fascinating and slightly terrifying look at how modern supply-chain attacks actually work under the hood. Give it a listen.
No persons identified in this episode.
This episode hasn't been transcribed yet
Help us prioritize this episode for transcription by upvoting it.
Popular episodes get transcribed faster
Other recent transcribed episodes
Transcribed and ready to explore now
3ª PARTE | 17 DIC 2025 | EL PARTIDAZO DE COPE
01 Jan 1970
El Partidazo de COPE
Buchladen: Tipps für Weihnachten
20 Dec 2025
eat.READ.sleep. Bücher für dich
LVST 19 de diciembre de 2025
19 Dec 2025
La Venganza Será Terrible (oficial)
Christmas Party, Debris & Ping-Pong
19 Dec 2025
My Therapist Ghosted Me
Episode 1320: Becoming 'The Monk': Rex Ryan on playing Gerry Hutch on stage (Part 1)
19 Dec 2025
Crime World
Friends Thru A Lens: The Holidays with Ella Risbridger
19 Dec 2025
Sentimental Garbage