Deepgram identified that our internal development environment was affected as part of the industry-wide Shai-Hulud 2.0 NPM supply chain attack. The attack used compromised NPM packages to inject malicious CI/CD workflows and attempt to exfiltrate internal development credentials.
Our investigation confirms: - No access to customer data or databases - No impact to production API infrastructure or service availability - No modification of published Deepgram SDKs or packages - No effect on customer authentication or API keys
Timeline (UTC): - 00:41, Nov 26: Webhook alert on an internal GitHub repo; engineers link activity to Shai-Hulud 2.0, disable malicious workflows, and rotate exposed credentials. - 21:45, Nov 26: Additional commits via a compromised GitHub App publish some internal materials (no customer or production impact); the account is removed, GitHub Actions disabled, and the org moved into a locked-down state.
We see no further signs of compromise and are gradually restoring normal operations while tightening SDLC and CI/CD controls.