Full Report
A massive NPM supply chain attack leveraging “Shai-Hulud” malware has compromised 700+ packages, targeting developer credentials and CI/CD pipelines. Learn how it works—and how to protect your org.
Analysis Summary
# Tool/Technique: Shai-Hulud
## Overview
Shai-Hulud is a self-propagating malware identified in a large-scale software supply chain attack targeting the Node Package Manager (NPM) ecosystem. Its primary goal is to infect developer machines via trojanized NPM packages to steal sensitive information such as credentials, tokens (including CI/CD), and secrets, and then establish persistent backdoors in compromised GitHub repositories.
## Technical Details
- Type: Malware
- Platform: Windows and Linux
- Capabilities: Worm-like propagation via NPM, credential harvesting using TruffleHog, establishing persistent GitHub Actions backdoors, exfiltrating secrets via hard-coded webhooks and GitHub Actions logs.
- First Seen: Mid-September (year not explicitly stated, implied recent based on context)
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described behaviors.*
- **TA0001 - Initial Access**
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain: Compromise Software Supply Chain
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Implied by stealing tokens/secrets)
- **TA0010 - Exfiltration**
- T1567 - Exfiltration Over Web Service
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution (Implied by persistent workflow)
- T1547.002 - Registry Run Keys / Startup Folder (Not explicitly mentioned, but common persistence goal)
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation (Implicitly using stolen credentials/tokens)
## Functionality
### Core Capabilities
- **Infection Vector:** Propagation through trojanized NPM packages, affecting potentially millions of developers.
- **Credential Harvesting:** Downloads and executes the legitimate credential scanner **TruffleHog** within the compromised environment to collect developer tokens, CI/CD secrets, and cloud service credentials.
- **AWS Integration:** Contains logic to validate and resolve Web Identity AWS credential profiles, configure an AWS STS client, and serialize/deserialize AWS Secrets Manager commands (create, get, update, delete, rotate, replicate).
### Advanced Features
- **Worm-like Propagation:** Automatically spreads to new, dependent NPM packages.
- **Persistent Backdoor Creation:** Creates unauthorized GitHub Actions workflows named `shai-hulud.yaml` or `shai-hulud-workflow.yml` in compromised repositories.
- **Data Exfiltration Mechanism:** Exfiltrates collected secrets via hard-coded webhook endpoints (e.g., hxxps://webhook[.]site/...) and, critically, leaks secrets in the job logs of the newly created automated workflow upon execution.
- **GitHub Repository Manipulation:** Verifies the supplied GitHub Personal Access Token (PAT), fetches the default branch SHA, creates a new branch named "shai-hulud", and uploads the malicious workflow file encoded in Base64 via the GitHub Contents API.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: `bundle.js` (malicious payload script), `.github/workflows/shai-hulud.yaml`, `.github/workflows/shai-hulud-workflow.yml`
- Registry Keys: [Not provided in the context]
- Network Indicators: hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (C2/Exfiltration endpoint)
- Behavioral Indicators: Execution of TruffleHog post-package install, creation of unauthorized `.github/workflows` files, API calls to GitHub to create branches/update contents using stolen PATs, usage of `curl` for data exfiltration.
## Associated Threat Actors
- [Name not explicitly attributed to a formal group in the text, but related to the Insikt Group analysis team tracking the campaign.]
## Detection Methods
- Signature-based detection: Searching for specific malicious NPM package versions.
- Behavioral detection: Monitoring for unexpected execution of `bundle.js`, processes attempting to harvest secrets (like TruffleHog execution), and unauthorized communication to external webhook URLs. Monitoring for the programmatic creation of new branches and workflow files in Git repositories.
- YARA rules: [Not available in context, but derivable from `bundle.js` structure and AWS logic.]
## Mitigation Strategies
- Search for and remove compromised NPM versions immediately.
- Rotate all potentially compromised tokens (developer credentials, CI/CD pipeline tokens).
- Audit CI/CD environments for unusual permissions or execution triggers.
- Review source code repositories for unauthorized workflows (`.github/workflows/`) or anomalous branches (e.g., "shai-hulud").
## Related Tools/Techniques
- TruffleHog (Legitimate tool weaponized by the malware)
- GitHub Actions Workflows (Weaponized DevOps feature for persistence and exfiltration)
- General NPM Supply Chain Attacks (Similar campaign vectors)