GHSA-MQXH-6GQ7-558M

A renewed wave of the Shai-Hulud worm, dubbed Shai-Hulud 2.0 or 'The Second Coming', began around November 21-24, 2025 and affected tens of thousands of GitHub repositories across roughly 350 unique users. The variant moved execution to the pre-install phase, dropped large heavily obfuscated payloads (setup_bun.js and bun_environment.js), and exfiltrated stolen secrets to public GitHub repositories described as 'Sha1-Hulud: The Second Coming'. As an aggressive fallback, it attempted to destroy the victim's entire home directory if credential theft failed.

Shai-Hulud was the first self-replicating worm to hit the npm ecosystem, disclosed around September 15, 2025. Beginning with the compromise of @ctrl/tinycolor (over 2 million weekly downloads), the malware harvested developer credentials (npm tokens, GitHub PATs, and AWS/GCP/Azure secrets) using the TruffleHog secret scanner, then automatically authenticated to npm and republished trojanized versions of every package the victim maintained, spreading exponentially without operator intervention. It exfiltrated stolen secrets to attacker webhooks and public GitHub repositories and established persistence via a malicious GitHub Actions workflow. More than 500 packages were ultimately compromised, including several CrowdStrike packages.

GitHub Actions cache poisoning abuses the fact that the Actions cache is shared across a repository's branches and is not integrity-validated against the producer, so a low-privileged context can plant a payload that a trusted context later restores and executes. Cache entries are keyed and versioned only by client-side computation, the branch-scoping boundary is not enforced server-side, and the restore step extracts the cached tarball without verifying that the restored files match what was originally cached. An attacker who gains code execution on a fork or low-privilege branch (commonly via script injection through untrusted inputs like github.head_ref in a pull_request_target workflow) writes a malicious entry under a key that a higher-privilege workflow on a protected branch will restore, gaining code execution in the trusted context and access to its secrets. The runtime cache token remaining valid after job completion and the per-repo eviction limit widen the window, letting the attacker evict legitimate entries and substitute poisoned ones. Adnan Khan documented the class on May 6, 2024 and built the Cacheract tool, with confirmed findings in projects including angular/components, mdn/content, hyperledger/besu and a later full chain in angular/dev-infra that exposed an admin-scoped GitHub App token.

CakePHP Authentication: Open redirect weakness via backslash bypass

Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Deno: Denial of service via non-ASCII bytes in WebSocket response headers