The Era of the Self-Propagating Cloud Worm: Dissecting the "Shai-Hulud" Campaigns

The distinction between "code security" and "cloud security" has evaporated. In late 2025, the "Shai-Hulud" campaigns demonstrated a significant evolution in adversary tradecraft: the weaponization of the open-source ecosystem to launch self-propagating worms that pivot from development environments to cloud control planes. This talk dissects the anatomy of this campaign, which compromised over 25,000 repositories and 350 organizations. We will provide a deep dive into the adversary’s use of automation to scale infections at a rate of 1,000 repositories every 30 minutes, their use of "cross-victim exfiltration" to obfuscate attribution, and the deployment of novel persistence mechanisms like GitHub Discussion backdoors. Attendees will gain a technical understanding of how supply chain attacks have shifted from static malicious packages to dynamic, environment-aware worms.

Scott McAndrew, Office of the CTO, Wiz