Shai Hulud 2.0 Aftermath - What Every Incident Response Team Should Know

Supply chain attacks continue to evolve, and Shai Hulud 2.0 shows just how quickly they can spread. This campaign abused trust in popular npm packages to plant credential-harvesting malware, then used those credentials to move across repos and CI workflows. Even organizations that enforce strict controls on public repositories were impacted. Once credentials were exposed, anyone could pick them up, which gave a foot in the door for more sophisticated attack vectors.

In this session, the Wiz Customer Incident Response Team (CIRT) will walk through how we identified and investigated Shai Hulud 2.0 from the first signals. We will share what made this escalation different, why the first 24 to 48 hours are crucial for incident response in this case, and how the teams were able to notify affected customers on time.

Wiz CIRT is actively monitoring the exposed public data, relevant detections across the Wiz platform, and notifying impacted organizations. We will also explain how having a clear view from code to cloud to runtime helps teams detect issues earlier, contain them quickly, and recover with confidence.