Zeal of the Convert: Taming Shai-Hulud with AI
Rami McCarthy
[un]prompted 2026 — AI Security Practitioner Conference · Day 1 · 1
When a massive NPM supply chain attack campaign called Shai-Hulud leaked data from tens of thousands of compromised machines across GitHub, Wiz security researcher Rami McCarthy used AI to do in two days what two weeks of manual work could not: identify over 2,400 victim companies, including 37 of the Fortune 100. His talk is a detailed, honest post-mortem on what AI actually did and did not do well — and a practical guide to building AI workflows that compound in value over time. ---
AI review
Real investigation, real numbers, real intellectual honesty about where AI fails. McCarthy took a 30GB supply chain mess — Shai-Hulud, 250,000 files, 30,000 repos — and used AI to identify 2,400 victim companies including 37 Fortune 100 in two days, versus 200 in two weeks manually. The failure modes he documents are as valuable as the wins.