Shai Hulud 2.0: What the Unknown Wonderer Reveals About the Attackers’ Endgame

New research into the Shai Hulud 2.0 supply chain attack reveals a multi-step attack chain that began on November 23, 2025. Attackers used a 'Pwn Request' technique against the asyncapi/cli GitHub repository to exfiltrate GitHub tokens via a malicious fork commit, then deployed a worm through a compromised OpenVSX extension. A key finding is the exploitation of GitHub's 'Imposter Commits' behavior, where fork commits are accessible via the original repository's commit hash, enabling what researchers call a 'Repository Confusion' vulnerability. The attacker's username UnknownWonderer1 is analyzed as a Dune-inspired reference suggesting ideological motivation beyond financial gain.