Entro Security has taken a leading role in helping enterprises assess their exposure. The security platform provider published a deep technical analysis and released a free online tool, "Are My Secrets Out?", enabling organizations to check if their credentials were compromised in an incident affecting over 1,000 companies globally.
Entro Security analyzed the Shai Hulud 2.0 npm supply chain attack, which exposed hundreds of thousands of developer and CI/CD secrets.
The campaign impacted over 1,195 organizations, including major banks, governments, and Fortune 500 tech companies.
Entro cloned and analyzed over 30,000 attacker repositories, finding valid, high-value secrets days after disclosure.
The company released a free public tool, "Are My Secrets Out?", for organizations to check for exposed credentials.
Entro initiated proactive, responsible disclosure outreach to hundreds of affected organizations.
The attack highlights critical risks to Non-Human Identities (NHIs) and secrets within development pipelines.
Following the public disclosure of the Shai Hulud 2.0 campaign on November 24, 2025, Entro Security's research team conducted an extensive analysis. The company cloned and examined over 30,000 malicious GitHub repositories created by the attackers, linking the exfiltrated data to 1,195 organizations worldwide. Their investigation revealed that the attack went beyond stolen code, resulting in a large-scale exposure of entire environments, including memory snapshots and environment dumps from CI runners and developer machines with live cloud credentials that remained valid more than 72 hours after public disclosure.
“Early analysis focused on the GitHub repos Shai Hulud created. What we saw in the raw data was something more serious, memory snapshots and environment dumps from real CI runners and developer machines, with live cloud and SaaS credentials still usable days later,” said Adam Cheriki, Entro’s co-founder and CTO. “That is why we decided to publish our findings, ship a free checker and start proactively notifying affected organizations as fast as possible.”
To assist the broader security community, Entro Security published a detailed technical analysis and launched "Are My Secrets Out?", a free online checker that allows organizations to safely test if their secrets appear in the compromised dataset. The tool has seen over 73,000 visits. Concurrently, Entro initiated a responsible disclosure effort, proactively contacting affected organizations, including its own customers, to warn them of live, exposed non-human identities and secrets. This outreach was cited by Elastic, a notable affected company, in its public incident response.
“Through our partner, Entro, Elastic was made aware that an Elastic continuous integration (CI) pipeline had run the Shai Hulud 2.0 malware...” wrote Mandy Andress, Chief Information Security Officer at Elastic.
The Shai Hulud 2.0 incident underscores a growing security challenge: the management and protection of machine identities and secrets within modern development and cloud environments. Entro positions the attack as a critical lesson in understanding the full blast radius of pipeline compromises, which extends far beyond source code to include the keys and identities that grant access to critical infrastructure.
“Shai Hulud 2.0 is a preview of how quickly malware can turn everyday pipelines into a full inventory of your secrets and non-human identities,” said Itzik Alvas, Co-founder and CEO at Entro Security. “If you only scan code, you are missing the real blast radius. You need to know which identities were exposed, what they can access and whether they have truly been revoked.”
Entro Security's response to Shai Hulud 2.0 demonstrates the evolving nature of supply chain threats and emphasizes the urgent need for specialized security focused on the lifecycle of non-human identities and secrets across cloud and development ecosystems.
About Entro Security
Entro is the leading enterprise security platform for AI Agents & Non-Human Identities. It discovers every API key, token, AI agent, and service account across the software development lifecycle. Entro then builds a contextual inventory that ties each machine identity or exposed secret to purpose, permissions, and human owners. Powered by the pioneering NHIDR™ engine, the platform detects behavioral anomalies for automated, risk-based remediation.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.