Entro Security, a leading enterprise security platform for AI Agents & Non-Human Identities (NHIs), detailed its role in helping enterprises detect and contain the impact of the Shai Hulud 2.0 software supply chain attack, which exposed hundreds of thousands of developer and CI/CD secrets affecting over 1,000 organizations.
The Shai Hulud 2.0 campaign has rapidly become one of the most significant npm supply chain incidents to date, compromising hundreds of open-source dependencies and mass publishing stolen credentials into attackers’ public GitHub repositories. Hours after the campaign was publicly disclosed on November 24, 2025, by Aikido Security, Entro’s research team cloned and analyzed over 30,000 Shai Hulud 2.0 repositories, tying exfiltrated data to 1,195 organizations worldwide, including major banks, governments and Fortune 500 technology companies. In many environments, high-value CI and cloud secrets remained valid more than 72 hours after the attack became public.
Cyber Technology Insights : Syncro and CyberDrain Launch Snapshot, a Free Microsoft Tenant Security Assessment
Early response: analysis and free secrets checker
As part of its initial response, Entro published a technical analysis of the attack that reframed the incident into a large-scale exposure of environments, non-human identities and secrets across CI pipelines, developer endpoints and cloud workloads.
To help defenders decide whether their own environments were caught in the blast radius, Entro also released “Are My Secrets Out?”, a free online checker that lets organizations safely test whether their secrets appear in the Shai Hulud 2.0 dataset. The tool has been promoted broadly to the security community and is available to any organization. To date, there have been over 73,000 visits to the tool.
“Early analysis focused on the GitHub repos Shai Hulud created. What we saw in the raw data was something more serious, memory snapshots and environment dumps from real CI runners and developer machines, with live cloud and SaaS credentials still usable days later,” said Adam Cheriki, Entro’s co-founder and CTO. “That is why we decided to publish our findings, ship a free checker and start proactively notifying affected organizations as fast as possible.”3
Cyber Technology Insights : Brian Blakley Joins Bellini Capital and ConnectSecure as CISO to Advance U.S. Cyber Defense
Proactive outreach to hundreds of affected organizations
Based on the vast dataset and decoded environment artifacts, Entro initiated a responsible disclosure effort, reaching out directly to affected organizations as well as its own global customer base. The company prioritized environments where Entro validation showed that non-human identities and secrets remained live and usable.
One of the environments that ran Shai Hulud 2.0 malware belonged to Elastic, a leading search and security company and an Entro customer. In Elastic’s public incident blog, Chief Information Security Officer Mandy Andress highlighted Entro’s role in detecting the exposure:
“Through our partner, Entro, Elastic was made aware that an Elastic continuous integration (CI) pipeline had run the Shai Hulud 2.0 malware…”
The affected Elastic pipeline, used for GitOps automation, published data to a public GitHub repository. According to Elastic’s disclosure, the company removed the compromised open-source dependency, identified impacted pipelines and users, and rotated all non-ephemeral secrets. Their investigation concluded there was no impact to Elastic customers and that the pipeline was not associated with any Elastic product.
Shai Hulud 2.0: a wake-up call for non-human identity security
“Shai Hulud 2.0 is a preview of how quickly malware can turn everyday pipelines into a full inventory of your secrets and non-human identities,” said Itzik Alvas, Co-founder and CEO at Entro Security. “If you only scan code, you are missing the real blast radius. You need to know which identities were exposed, what they can access and whether they have truly been revoked.”
Security teams can use Entro’s “Are My Secrets Out?” tool to quickly test whether their secrets appear in the Shai Hulud 2.0 dataset, and then plug Entro into their environment for continuous discovery, monitoring and lifecycle management of AI agents, NHIs and secrets across cloud, CI/CD and SaaS.
Cyber Technology Insights : Stellar Cyber and Cato Networks Deliver AI-Driven SecOps on Cato SASE Platform
Source: GlobeNewswire
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
