This week we saw the return of a cyber threat that we hoped was buried, but in hindsight we should have seen it coming. In September of this year, the Open Source package registry NPM suffered a supply chain attack which affected a large number of Open Source packages used by application developers worldwide. As I worked with my team to understand the organizational impact and get things contained, I couldn’t help but be impressed by how clever the attack was. My second thought was that we would see more of these and it seemed to me that this was really just a proof of concept software supply chain attack.
Fast forward two months later and Shai-Hulud is back with some improvements and once again, I can’t help but feel that the attackers are just scratching the surface. I won’t go into the technical details of the attack because there are already a ton of breakdowns out there. What I don’t see much of is a detailed analysis of what this means for business operations. The impact is significant and if CISOs aren’t concerned just yet, I think the reality will set in once the dust settles from this latest attack.
Here are just a few things that CISOs are going to have to consider right now on top of the other demands that the role carries:
The Dev Environment Can’t Be The Weak Link Anymore
Development environments can no longer carry scaled back security controls in comparison to production environments. Traditionally, Development environments have lighter security controls when compared with production environments due to the fact that we don’t keep production data here. Although the lack of production data is still true, the ability for bad actors to exfiltrate your API keys and Access tokens means that a unique set of security controls for Development environments is needed now more than ever.
“Lessons Learned” Won’t Survive the Next Attack
The lessons learned from the last attack aren’t enough to survive the next attack. The new destructive nature of Shai-Hulud 2.0 means that we need to go beyond lessons learned and try to proactively respond to the next evolution of the attack… and there will be a next attack!
Identity Governance Must Now Cover API keys and Tokens
Identity Access and Identity Governance needs to expand to API keys and Access tokens. Most organizations are getting better at managing user accounts, groups and other identity features in production environments. We validate accounts and revoke access promptly but what about API keys and Repo Access Tokens? Are you taking the same care with these credentials?
Security Will Get Stricter and New Architectures Will Be Essential
Security controls needed are going to make CISOs even less popular. Development and deployments are going to slow down or organizations are going to need to invest in new architectures that consider both speed and security. Either way, to address the problems, budgets are going to have to grow or Senior Leaders will need to be prepared to accept a higher level of risk.
Annual Tabletops Won’t Cut It
Annual table top tests are not going to cut it. What’s that? You haven’t done a table top test? OK, how good is your cyber insurance? With supply chain attacks like Shai-Hulud, the ability for technical teams to act and adapt quickly is paramount! You can rely on your cyber insurance to help reduce your immediate financial losses but it won’t help your reputation and customer trust. Being prepared is the best defence. Frequent tabletop exercises will help your team get comfortable with handling cyber security events and allow you to respond quickly.
The unfortunate thing is that plugging in a response to Shai-Hulud 2.0 (or 3.0 in 2026) is something that most cybersecurity programs are not ready to handle. Small cyber teams, relatively small budgets and increasing compliance demands mean that most organizations do not have the cybersecurity foundations to quickly adapt to new threats like Shai-Hulud.
If you want support to strengthen your organization’s position against Shai-Hulud and the next generation of threats, AniSoft is here to help. We have an experienced team of Cybersecurity professionals with experience building effective Cybersecurity programs. Feel free to reach out and speak with myself or one of our other team members about safeguarding your organization.
Written by Chris Rothecker, Director, Cybersecurity AniSoft Group