Shai-Hulud 2.0 Supply Chain Incident – No Customer Impact

Update timeline

1. resolved Dec 04, 2025, 10:50 PM UTC

   Informational (No Customer Action Required) Deepgram identified that our internal development environment was affected as part of the industry-wide Shai-Hulud 2.0 NPM supply chain attack. The attack used compromised NPM packages to inject malicious CI/CD workflows and attempt to exfiltrate internal development credentials. Our investigation confirms: - No access to customer data or databases - No impact to production API infrastructure or service availability - No modification of published Deepgram SDKs or packages - No effect on customer authentication or API keys Timeline (UTC): - 00:41, Nov 26: Webhook alert on an internal GitHub repo; engineers link activity to Shai-Hulud 2.0, disable malicious workflows, and rotate exposed credentials. - 21:45, Nov 26: Additional commits via a compromised GitHub App publish some internal materials (no customer or production impact); the account is removed, GitHub Actions disabled, and the org moved into a locked-down state. We see no further signs of compromise and are gradually restoring normal operations while tightening SDLC and CI/CD controls. Customer action: None required. Questions: [email protected] • [email protected] This incident affected internal development infrastructure only; customer-facing APIs and services were not impacted.