TLDR
Supply chain attacks reached new heights in 2025 with the Salesforce OAuth compromise and Shai-Hulud npm worm. Attackers exploited trusted integrations rather than platform vulnerabilities, affecting over 700 organizations through Salesforce alone. The Shai-Hulud campaign introduced self-replicating malware that automatically infected additional packages, exposing thousands of developer credentials.
Traditional security controls failed because threats arrived through authorized channels using legitimate credentials. Organizations need behavioral detection for trusted integrations, comprehensive software dependency visibility, and incident response plans that assume vendor tools can be compromised.
In August 2025, Cloudflare detected unusual activity in their Salesforce environment. An attacker was accessing support case data, including customer correspondence and API tokens. The breach didn’t come from a phishing attack or network intrusion. It came through Drift, Salesforce’s AI-powered chatbot integration that Cloudflare used for customer support. The tool designed to improve customer service had become the attack vector.
Three months later, developers installing npm packages woke up to find their GitHub credentials exposed in public repositories labeled “Sha1-Hulud: The Second Coming.” The malware had infected over 700 packages from legitimate maintainers at Zapier, PostHog, and Postman.
When developers installed these packages, malicious code executed during the preinstall phase, harvested their credentials, and automatically infected other packages they maintained. Within hours, over 25,000 repositories were compromised.
These incidents from 2025 demonstrate how supply chain attacks have evolved. Adversaries no longer break through perimeter defenses. They compromise the trusted software integrations and open-source packages that development and operations teams depend on. Supply chain attacks succeed because they exploit the gap between what security teams can verify and what they must trust in production environments.
The lessons aren’t about better vendor questionnaires. They’re about detecting compromise in systems you already trust.
What Actually Happened
Salesforce: OAuth Tokens as Backdoors
In August 2025, threat actor UNC6395 gained unauthorized access to OAuth tokens from Salesloft’s Drift integration with Salesforce. Between August 8 and August 18, attackers systematically accessed Salesforce instances at over 700 organizations. Victims included Cloudflare, Zscaler, Palo Alto Networks, and dozens of other security and technology companies.
The attack worked because OAuth tokens grant API-level access to Salesforce data without requiring user credentials or multi-factor authentication. Once attackers obtained Drift’s OAuth tokens, possibly through compromising Salesloft’s GitHub repositories, they inherited trusted access to any Salesforce instance using that integration. From Salesforce’s perspective, the API calls looked legitimate.
The campaign resurfaced in November 2025 through compromised Gainsight applications, affecting an additional 200+ organizations using the same attack pattern. Threat groups including ShinyHunters and Scattered Spider attempted to extort victims, with Salesforce refusing ransom demands. The FBI issued alerts about two distinct groups, UNC6040 and UNC6395, targeting Salesforce instances through different methods.
Shai-Hulud: Self-Replicating Supply Chain Malware
In September 2025, security researchers discovered malicious versions of popular npm packages containing worm-like malware. The campaign, dubbed Shai-Hulud, compromised hundreds of packages maintained by legitimate developers. When developers installed these packages, the malware harvested GitHub tokens, npm credentials, AWS keys, and cloud provider secrets.
The critical innovation: Shai-Hulud was self-replicating. After stealing an npm token, the malware automatically published malicious versions of all packages that developer maintained, spreading exponentially without attacker intervention. Stolen credentials were exfiltrated to public GitHub repositories named “Shai-Hulud” containing JSON files with harvested secrets.
In November 2025, Shai-Hulud 2.0, referred to by operators as “The Second Coming,” escalated the campaign. The new variant executed during the preinstall phase instead of postinstall, meaning malicious code ran even if package installation failed. Within days, attackers compromised 796 additional packages affecting 20 million weekly downloads. The campaign created over 25,000 malicious GitHub repositories and exposed credentials from 500+ GitHub users across 150+ organizations.
CISA issued emergency alerts, and major packages from Zapier, ENS Domains, PostHog, and Postman were temporarily trojanized before maintainers regained control.
The Pattern
Both campaigns succeeded by exploiting trust. The Salesforce attacks used valid OAuth tokens from legitimate integrations. Shai-Hulud used compromised maintainer accounts to publish malicious versions of trusted packages.
Security tools had no reason to alert because the activity came from authorized sources using proper credentials. Detection required understanding what normal behavior looked like, not identifying known-bad signatures.
Lessons That Matter
Lesson 1: Integration Trust Must Be Continuously Validated
Organizations using Drift or Gainsight completed vendor security assessments when they enabled those integrations. Those assessments were irrelevant once attackers compromised the vendors’ authentication systems. Procurement-time vendor reviews don’t account for future compromise.
The organizations that detected the Salesforce attacks quickly were monitoring OAuth token behavior. When Drift’s integration started making unusual API calls or accessing data it didn’t normally touch, behavioral monitoring flagged the deviation. Those relying solely on vendor security certifications had no detection path until they received breach notifications.
Operational reality: instrument OAuth integrations like you instrument user accounts. Baseline normal API call patterns, data access volumes, and authentication timing. When a trusted integration deviates from established behavior, investigate immediately.
The FBI reported that reconnaissance by UNC6395 began as early as October 23, weeks before the main data exfiltration surge. Organizations with integration monitoring could have detected this reconnaissance phase.
Lesson 2: Open-Source Supply Chain Requires Runtime Visibility
When Shai-Hulud was disclosed, response speed depended on whether organizations knew which packages their developers and CI/CD pipelines were using. Teams with Software Bills of Materials (SBOMs) and dependency scanning identified affected systems within hours. Those without dependency visibility spent days or weeks inventorying their environments.
The challenge intensified with Shai-Hulud 2.0’s preinstall execution. Even failed package installations triggered the malware. Organizations needed to identify not just production dependencies but development environments, build systems, and any location where npm install might have run between November 21 and 24, 2025.
Detection came down to visibility. Microsoft’s analysis showed that Wiz, Datadog, and other security vendors detected the campaign by scanning for the specific GitHub repository description “Sha1-Hulud: The Second Coming.”
Organizations maintaining dependency inventories and monitoring developer GitHub activity could search for compromise indicators. Those without this visibility had no way to determine exposure.
Lesson 3: Legitimate Credentials Require Different Detection
Both campaigns used authorized access. Salesforce OAuth tokens were valid and properly authenticated. Shai-Hulud used legitimate maintainer credentials to publish packages. Traditional security controls designed to block unauthorized access were ineffective because the access was authorized.
Cloudflare’s detection of the Salesforce breach came from recognizing unusual data access patterns, not from blocking malicious IPs or invalid credentials. The attacker used Python scripts making rapid, systematic API calls that didn’t match normal support workflows. Similarly, Shai-Hulud detection required recognizing that packages were being published at unusual rates or that GitHub repositories with specific naming patterns were appearing across developer accounts.
This requires behavioral analysis that assumes attackers have valid credentials. Focus on volume anomalies, timing patterns, and access to data that legitimate use cases wouldn’t require. When Salesforce reported that the attacker used “Salesforce-Multi-Org-Fetcher/1.0” Python scripts to access data, that user-agent string was a detection opportunity for organizations monitoring their Salesforce API traffic.
Lesson 4: Worm Behavior Changes Response Requirements
Shai-Hulud introduced a new dimension: automated propagation. Once a single developer account was compromised, the malware spread to every package that developer could publish. If another developer then installed one of those compromised packages, their credentials were stolen and their packages infected. This cascade happened without direct attacker involvement.
Traditional incident response assumes containment stops lateral movement. Shai-Hulud invalidated that assumption. Even after npm removed malicious packages, if any developer’s local cache contained an infected version, reinstalling could trigger reinfection.
Organizations had to assume that any developer who installed packages between the attack dates might be compromised, regardless of whether specific compromised packages were identified in their environment.
The “dead man’s switch” in Shai-Hulud 2.0 escalated this further. Security researchers reported that the malware threatened to destroy user home directories if its exfiltration channels were blocked. This meant security teams couldn’t simply cut off GitHub access without risk of data destruction. Response required coordinated credential rotation, cache clearing, and environment rebuilding rather than simple network isolation.
Implications for Security Programs
Testing for Integration Compromise
Red team exercises should simulate compromised SaaS integrations. Can your security operations center detect unusual API behavior from Salesforce connected apps? Would they notice if a monitoring tool started accessing data outside its normal scope? If your detection assumes OAuth tokens are always trustworthy, you missed the attack vector that compromised 700+ organizations in 2025.
After the Salesforce incidents, organizations began implementing IP restrictions on OAuth tokens and requiring regular reauthorization for high-privilege integrations. Some established monitoring specifically for OAuth refresh token use, since attackers maintaining long-term access would need to refresh tokens periodically.
Rethinking Developer Environment Security
The Shai-Hulud campaign showed that developer workstations and CI/CD pipelines are now primary targets for supply chain attacks. Traditional endpoint security focused on preventing malware execution. Supply chain malware executes through legitimate package managers using proper installation procedures.
Detection requires monitoring package manager activity, tracking which npm packages CI/CD systems install, and scanning developer GitHub accounts for unusual repository creation. Several organizations discovered Shai-Hulud infections by searching GitHub for repositories with “Sha1-Hulud” or “Shai-Hulud Migration” in descriptions, finding public repositories containing their developers’ stolen credentials.
Build systems need network restrictions preventing automatic credential exfiltration. If npm install in a CI/CD pipeline can create arbitrary GitHub repositories, attackers will exploit that capability. Limiting build system network access to necessary package registries and internal resources contains the blast radius even if a malicious package executes.
Credential Rotation as Incident Response
Both campaigns required massive credential rotation efforts. For Salesforce, organizations revoked OAuth tokens and reauthorized integrations. For Shai-Hulud, teams rotated npm tokens, GitHub personal access tokens, SSH keys, cloud provider credentials, and any secrets that might have been present in compromised environments.
The challenge: determining which credentials were exposed. Shai-Hulud exfiltrated to public GitHub repositories, so organizations could search for their credential exposure. The Salesforce attacks happened through API access, making it harder to determine which data the attacker accessed. Organizations spent weeks analyzing Salesforce audit logs trying to understand the scope.
Incident response plans need procedures for large-scale credential rotation. Can you revoke and reissue all developer GitHub tokens in 24 hours? Can you identify every system using a particular OAuth token? The organizations that recovered quickly from these incidents had credential inventory and rotation capabilities ready.
Moving Forward
Supply chain attacks in 2025 demonstrated that trust relationships are the new perimeter. The Salesforce incidents compromised security-focused companies through AI chatbot integrations. Shai-Hulud infected packages maintained by experienced developers at established companies. Neither attack exploited platform vulnerabilities or required sophisticated zero-days.
Organizations that managed these incidents effectively had three capabilities: behavioral monitoring of trusted integrations, comprehensive dependency visibility across development and production, and credential rotation procedures prepared for large-scale response. Those still discovering compromise weeks after disclosure were operating without visibility into the software supply chain they depend on.
The next supply chain attack is already in development. It will use valid credentials and authorized access. Detection will require recognizing abnormal patterns in legitimate activity. The question facing security teams isn’t whether their vendors can be compromised, but whether they can detect when it happens.