Shai-Hulud Proved It: Attackers Hunt NHIs First, Because That’s Where the Power is

Shai-Hulud wasn’t loud for the sake of noise, it was a powerful, well-structured attack that understood the modern software ecosystem better than many defenders do. And it validated the clearest trend in 2025 security: attackers prioritize non-human identities (NHIs) over everything else.

Shai-Hulud’s Behavior Made Attacker Priorities Obvious

When the worm executed, it immediately searched for automation credentials. It pulled CI/CD runner tokens from environment variables, harvested GitHub PATs from local configs, and scraped cloud access keys from developer machines and build logs. These weren’t random secrets, they were machine identities with the authority to deploy, publish, and operate real infrastructure.

A single stolen npm publish token allowed the attacker to republish more than twenty packages in one hop. Stolen GitHub PATs gave access to private repos and workflows. Cloud keys from AWS, GCP, and Azure provided infrastructure-level permissions. The worm didn’t need human credentials; NHIs already carried the power to move laterally, escalate, and replicate.

We offer a free Shai-Hulud impact assessment to help determine whether your environment was affected and to identify any exposed secrets. Request your free check here: https://www.hush.security/shai-hulud-assessment
What makes our check different
Unlike static/API scans, our assessment inspects secrets in runtime, outside-in and inside-out, to find active abuse paths and deliver a prioritized remediation report.

Why NHIs Made the Attack So Effective

Shai-Hulud didn’t rely on fragile tricks. It leaned on identity realities: NHIs are everywhere, heavily privileged, and rarely monitored.

TruffleHog embedded in the payload searched through git histories, CI caches, and artifact directories, all places where forgotten NHIs hide long after their supposed rotation. That’s why the worm exfiltrated thousands of valid automation credentials. It understood that machine identities live longer than developers expect and accumulate more privilege than anyone tracks.

Propagation was driven entirely by NHI permissions. The worm enumerated every package a compromised identity could publish and used that privilege graph to spread. It wasn’t exploiting vulnerabilities, it was exploiting how software engineering works.

What the Attack Validates

Shai-Hulud proved that the fastest way to gain real control in a modern environment is through the identities that automate everything. NHIs publish packages, trigger pipelines, deploy infrastructure, sign builds, and access cloud resources. Their compromise leads directly to production impact.

Attackers know this. Shai-Hulud showed it plainly.‍

What Organizations Must Do Next

The takeaway isn’t to dismiss the attack, it was powerful. The takeaway is to align defenses with what attackers already prioritize.

Organizations need visibility into NHIs, lifecycle control for tokens and keys, and a recognition that CI/CD is now a production attack surface. 

Shai-Hulud exposed the gap between how companies treat machine identities and how attackers exploit them.

‍

We offer a free Shai-Hulud impact assessment to help determine whether your environment was affected and to identify any exposed secrets. Request your free check here: https://www.hush.security/shai-hulud-assessment
What makes our check different
Unlike static/API scans, our assessment inspects secrets in runtime, outside-in and inside-out, to find active abuse paths and deliver a prioritized remediation report.

‍