Shai Hulud 2.0 has led to significant security concerns, with numerous code libraries compromised, particularly those from Zapier, ENS Domains, PostHog, and Postman. If a vulnerable package was installed, secrets stored on the affected device are likely compromised. The attack has resulted in a persistent remote code execution (RCE) risk via GitHub runners, and exposed secrets have been posted in public repositories, prompting GitHub to take action against them. The article compiles essential resources to help teams respond effectively, including lists of infected packages, malware file hashes, and various scanning tools. To mitigate risks, the article emphasizes the importance of version pinning, monitoring developer environments, and employing runtime security measures. Effective tools mentioned include Wiz and DataDog’s IOCs, which provide details on infected package names and malware file hashes. Several scanners like the Phoenix Security Scanner and Jaime Scanner are suggested, although the effectiveness of these tools isn’t fully verified. For compromised secrets, services like GitGuardian and Entro offer databases of exposed secrets, though users should be cautious when entering sensitive information. The article critiques the common advice to "use fewer dependencies," pointing out that many compromised packages are tied to commercial offerings that can't easily be replaced. It highlights the evolution of security tools and vendor offerings for supply chain attack prevention, including both commercial and open-source options. While no single solution can entirely prevent such attacks, a combination of strategies—like restricting NPM scripts and monitoring build systems—can enhance security. The piece also underlines the need for improved practices within the NPM ecosystem, such as implementing trusted publishing to mitigate the risk of future attacks.