Open source · Available now

Meet Thumper.

An open-source tripwire that catches endpoint compromise (and soon more). Plant fake-but-realistic credentials where the Shai-Hulud npm worm scans - the instant one is read, you know the box is breached.

The first signal your organization needs.

View on GitHub
Why we built it

Detection has to be instant - so we made it simple.

When the attacker moves at machine speed, detection has to be instant and unambiguous. We wanted something simple to detect with - to at least give the organization the first signal to triage on. A honeytoken is the perfect fit: the credential is bait and nothing else, so a single read is a great indication (but not hermetic). We built Thumper to give every team that signal, for free - and we made it open source on purpose.

Join the cause. Add code.

Thumper is free to use and built in the open. Run it, break it, send a PR - the more eyes and tokens in the wild, the louder the tripwire.

View on GitHub
How it works

Plant the bait. Wait for the read.

  1. Plant the bait

    Thumper drops fake-but-realistic credentials into the exact files attackers scan - ~/.aws/credentials, ~/.npmrc, ~/.config/gh/hosts.yml, and more.

  2. The worm reads it

    Shai-Hulud harvests credential files automatically as it spreads. The instant it touches a Thumper token, it trips the wire.

  3. You get the signal

    A read means your box is probably breached. That's your first signal to triage on - in real time, the moment it happens.

The threat

What is Shai-Hulud?

Shai-Hulud is a self-replicating npm worm. It scrapes cloud and developer credentials from infected machines, then uses them to publish itself into more packages - spreading across the ecosystem on its own. Every box it lands on becomes a launch pad for the next.

Is this the biggest worm of 2025? Shai-Hulud explainedVideo · ShortIs this the biggest worm of 2025? Shai-Hulud explainedCyber Ryan · YouTubeThe npm worm that spreads itself - Shai-Hulud explainedVideoThe npm worm that spreads itself - Shai-Hulud explainedSysdig · YouTubeThe npm malware is a hacking masterpieceVideoThe npm malware is a hacking masterpieceLow Level · YouTubeakamaiArticle · LatestMini Shai-Hulud worm returns, goes publicAkamai · Security ResearchMicrosoftArticle · GuidanceShai-Hulud 2.0: detecting, investigating, and defendingMicrosoft Security BlogUnit 42Article · Research"Shai-Hulud" worm compromises the npm ecosystemUnit 42 · Palo Alto NetworksThreatLockerArticleReverse Shai-Hulud compromise impacts AntV packagesThreatLocker · Blog
The bigger picture

Want to hear the bigger picture?

Thumper is the first piece. We're building an AI-native active layer of defense against AI attackers. Think that's relevant for your organization? Need a managed solution for Thumper? Leave your email and we'll be in touch.