Statement on MD-2025-1124 Shai-Hulud 2.0 Vulnerability

November 24, 2025

Information

The Shai-Hulud 2.0 Vulnerability is a self-replicating malware worm that targets the Node Package Manager (NPM) Supply Chain. This version differs in that it can execute during pre-install, infect more npm packages, and will attempt to destroy users home directory if access is lost.

For additional information, please refer to: GitLab Discovers widespread npm supply chain attack.

Risk

Not Applicable

Response

Melissa Data Corporation (“Melissa”) was not impacted by the Shai-Hulud 2.0 vulnerability as we do not utilize any of the affected packages for any Melissa commercial web services or products nor by any vendor of software installed on Melissa servers. Melissa has performed a thorough investigation of both in-house built APIs, web interfaces, and vendor supplied solutions. Melissa will continue to monitor systems to prevent any impacted packages from being installed as well as follow all guidance provided for this vulnerability as necessary to prevent any future risks.