New research into the Shai Hulud 2.0 malware suggests the username UnknownWonderer1 tells us more about the attackers’ endgame.

Aikido Security

New research into the Shai Hulud 2.0 supply chain attack reveals a multi-step attack chain that began on November 23, 2025. Attackers used a 'Pwn Request' technique against the asyncapi/cli GitHub repository to exfiltrate GitHub tokens via a malicious fork commit, then deployed a worm through a compromised OpenVSX extension. A key finding is the exploitation of GitHub's 'Imposter Commits' behavior, where fork commits are accessible via the original repository's commit hash, enabling what researchers call a 'Repository Confusion' vulnerability. The attacker's username UnknownWonderer1 is analyzed as a Dune-inspired reference suggesting ideological motivation beyond financial gain.

Shai Hulud 2.0: What the Unknown Wonderer Reveals About the Attackers’ Endgame