Full Report
The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend. [...]
Analysis Summary
# Tool/Technique: Shai-Hulud (Leaked Variant/Clone)
## Overview
Shai-Hulud is a specialized information stealer and supply-chain attack tool. Originally attributed to the threat group **TeamPCP**, the source code was recently leaked on GitHub, leading to its adoption by various independent threat actors. The malware is designed to target developers by infiltrating the Node Package Manager (npm) ecosystem via typosquatting, where it exfiltrates sensitive credentials, cloud configurations, and cryptocurrency data.
## Technical Details
- **Type:** Malware Family (Information Stealer / Botnet)
- **Platform:** Cross-platform (Node.js environments, Linux, Windows, macOS)
- **Capabilities:** Credential theft, secret harvesting, DDoS (via "phantom bot" module), and self-propagation (GitHub publishing).
- **First Seen:** September 2025 (Original); May 2026 (Leaked clone campaign).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- [T1552.004 - Private Keys]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- [T1567.001 - Exfiltration to Code Repository]
- **[TA0040 - Impact]**
- [T1498 - Network Denial of Service]
## Functionality
### Core Capabilities
- **Credential & Secret Harvesting:** Targets developer-specific data including AWS/Cloud configurations, SSH keys, and account tokens.
- **Crypto-Theft:** Scans for and exfiltrates cryptocurrency wallet data.
- **Typosquatting:** Distributed via npm packages with names similar to popular libraries (e.g., `axois` vs `axios`).
- **Exfiltration to GitHub:** Automatically uploads stolen data to public, auto-generated GitHub repositories.
### Advanced Features
- **DDoS Module ("Phantom Bot"):** Found in specific variants like `axois-utils`, capable of executing HTTP, TCP, and UDP floods, as well as TCP reset attacks.
- **Self-Propagation Logic:** Retains functionality to use stolen publishing credentials to push malicious code to other legitimate projects.
## Indicators of Compromise
### File Names (Infected npm Packages)
- `chalk-tempalte` (Shai-Hulud clone)
- `@deadcode09284814/axios-util`
- `axois-utils` (Infostealer + DDoS bot)
- `color-style-utils`
### Network Indicators
- **C2 Server:** 87e0bbc636999b[.]lhr[.]life
- **Service:** Uses `.lhr.life` (Localhost.run) for tunneling/exfiltration.
### Behavioral Indicators
- Unusual outbound traffic from developer workstations to unauthorized GitHub repositories.
- `npm install` processes spawning unexpected network connections to tunneling services.
- Unauthorized creation of configuration files or modification of `.env` files.
## Associated Threat Actors
- **TeamPCP:** Original authors of the Shai-Hulud malware.
- **deadcode09284814:** The specific npm account responsible for the May 2026 campaign using leaked code.
## Detection Methods
- **Signature-based detection:** Modern EDR and AV can identify the non-obfuscated leaked source code of Shai-Hulud.
- **Behavioral detection:** Monitor for Node.js processes accessing sensitive files like `~/.aws/credentials`, `~/.ssh/id_rsa`, or browser-based wallet extensions.
- **Network Monitoring:** Alert on connections to known tunneling services (e.g., Localhost.run, Ngrok) originating from build servers or developer machines.
## Mitigation Strategies
- **Dependency Auditing:** Regularly use `npm audit` and software composition analysis (SCA) tools to identify rogue packages.
- **Credential Rotation:** Immediately rotate API keys, cloud secrets, and SSH keys if an infected package is detected.
- **Namespace Verification:** Prioritize the use of "Scoped Packages" and verify the author of popular libraries before installation.
- **Runtime Protection:** Implement egress filtering on developer environments to prevent unauthorized data exfiltration to non-standard domains.
## Related Tools/Techniques
- **Mini Shai-Hulud:** A lightweight version previously used in supply-chain attacks.
- **Typosquatting:** A common technique for delivery of malicious packages in the Open Source Software (OSS) ecosystem.