New Wave of Shai-Hulud Malware Campaign (NPM supply chain)
BLUF
Threat actors are compromising developer accounts and injecting malicious code into legitimate NPM packages, which acts as a remote access trojan (RAT) to steal credentials and data from downstream users.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations impacted by a confirmed or suspected NPM supply-chain compromise involving Shai-Hulud malware activity:
Low-end total cost: $750,000 – $1.2M
(Rapid detection, limited credential exposure, minimal downstream impact)Typical expected range: $1.5M – $2.5M
Upper-bound realistic scenarios: $3M – $4.5M
(Extended dwell time, downstream customer exposure, regulatory engagement)
Key cost driver:
Costs are driven primarily by the need to re-establish trust in compromised development pipelines, including broad credential rotation, build validation, and deployment controls, combined with productivity loss from paused releases and diverted engineering effort. Additional cost pressure comes from customer and partner assurance demands, legal and compliance review to confirm downstream impact, and insurance friction following a supply-chain security event.
Targeted Sectors
· Technology
· software development
· Organizations relying on open-source software (OSS)
Countries
· Global
Date of First Reported Activity
· The current multi-wave campaign has been ongoing, with a recent wave reported on December 23, 2025.
Date of Last Reported Activity Update
· December 23, 2025
APT Names
· This has not been publicly identified at this time.
The group appears to be organized
Associated Criminal Organization Names
· This has not been publicly identified at this time.
The group appears to be organized
IOCs
File and Code Artifacts
Malicious Files
· Presence of setup_bun.js (stager/loader script) and bun_environment.js (large, heavily obfuscated main payload, typically around 10MB) within the package tarball or on the compromised system.
Created Files
· The malware creates specific files during execution: cloud.json, contents.json, environment.json, and truffleSecrets.json (containing stolen credentials). It may also create a discussion.yaml file within GitHub workflows.
Temporary Scripts
· Execution of scripts such as /tmp/processor.sh and /tmp/migrate-repos.sh.
Package Modification
· A newly added preinstall hook in package.json that points to the stager script (e.g., "preinstall": "node setup_bun.js").
Network and Host IOCs
Suspicious Outbound Traffic
· Outbound network traffic to suspicious or unusual domains and IP addresses.
Exfiltration Endpoints
· Initial wave used webhook.site for data exfiltration, specifically webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7.
· The second wave uses randomly named public GitHub repositories for exfiltration.
GitHub and CI/CD Anomalies
New Public Repositories
· Creation of new, randomly named public GitHub repositories with descriptions such as "Sha1-Hulud:
· The Second Coming".
o These repos contain the exfiltrated secrets.
Unauthorized Workflows
· Presence of unexpected GitHub Actions workflows, sometimes named shai-hulud-workflow.yml, or the injection of new workflow steps.
Abnormal NPM Publishes
· Detection of new, unauthorized versions of legitimate npm packages published from a compromised account.
Credential Harvesting Tools
· Use of credential-gathering tools like TruffleHog within the compromised environment.
Tools Used in Campaign
· Malicious JavaScript/PowerShell code, potentially compromised credentials.
CVEs and CVSS Vectors
· The vulnerability lies in compromised accounts/misconfigurations rather than a specific software flaw.
Nessus ID
· Not applicable
Mitigation Data
· Maintainers are urged to implement code signing and verification processes and use robust access controls.
· Users should verify package integrity and consider security tools that scan components at all stages of deployment. GitHub provides guidance on strengthening supply chain security.
Malware Names
· Shai-Hulud worm/malware.
Malware Samples
sha256
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
URL Link to sample
· hxxps://www.virustotal.com/gui/file/46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
TTPs
· TA0001 Initial Access (via compromised developer accounts)
· T1199 Trusted Relationship (exploitation of trust between supplier and customer)
· T1559.001 Command and Scripting Interpreter: PowerShell (execution via user interaction)
· T1027.005 Obfuscated Files or Information: Indicator Removal from Tools (padding code with whitespace)
· T1105 Ingress Tool Transfer (downloading additional payloads from C2)
Suggested Rules / potential hunts
As a reminder, these are indicator rules, they are likely to be noisy.
For best results data should be historically examined via data models.
Suricata Network Rules
· Focus on the exfiltration of harvested credentials to GitHub and the downloading of the Bun runtime or TruffleHog.
GitHub Repository Creation/Push (Exfiltration)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shai-Hulud 2.0 Exfiltration Attempt (GitHub)"; content:"Sha1-Hulud: The Second Coming"; http_client_body; sid:2025001; rev:1;)
TruffleHog Download/Update
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shai-Hulud 2.0 - TruffleHog Download via NPM Script"; content:"trufflehog"; http_uri; sid:2025002; rev:1;)
Suspicious Bun Runtime Download
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shai-Hulud 2.0 - Bun Runtime Installer Download"; content:"/install.sh"; http_uri; content:"bun.sh"; http_host; sid:2025003; rev:1;)
SentinelOne Queries
Malicious Script Execution:
sql
(ProcessName contains "node" OR ProcessName contains "bun") AND (CommandLine contains "setup_bun.js" OR CommandLine contains "bun_environment.js")
GitHub Actions Runner Persistence
Detect the registration of a new self-hosted runner, which the malware names SHA1HULUD.
sql
ProcessName contains "config.sh" AND CommandLine contains "--name SHA1HULUD"
Destructive Data Wiping:
The malware shreds the home directory if exfiltration fails.
sql
ProcessName contains "shred" AND CommandLine contains "/home/"
Splunk Hunts
Hunting for Compromised NPM Packages
Search for preinstall scripts executing suspicious files.
splunk
index=main sourcetype=sysmon EventCode=1
| search CommandLine="*node*preinstall*setup_bun.js*"
| table _time, host, user, CommandLine
Use code with caution.
Hunting for Secret Harvesting Artifacts
Look for specific JSON files created during the harvesting stage: cloud.json, contents.json, environment.json, and truffleSecrets.json.
splunk
index=main sourcetype=sysmon EventCode=11
| search TargetFilename IN ("*cloud.json", "*contents.json", "*environment.json", "*truffleSecrets.json")
| table _time, host, user, TargetFilename
Outbound Traffic to Metadata Services
The malware calls instance metadata services to steal cloud credentials.
index=proxy dest_ip="169.254.169.254"
| stats count by src_ip, url, user_agent
Use code with caution.
Delivery Method
· Malicious code injected into open-source software packages; users download the trojanized package during routine software development/updates.
Email Samples
· This is not a phishing attack.
o The attack delivery is via package manager/CI/CD workflow
References
GitHub Blog
· hxxps://github.blog/security/supply-chain-security/strengthening-supply-chain-security-preparing-for-the-next-malware-campaign
Reversing Labs
· hxxps://www.reversinglabs.com/sscs-report
Dark Reading
· hxxps://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025
Silicon Angle
· hxxps://siliconangle.com/2025/12/23/shai-hulud-malware-turns-developers-unwitting-distributors-NPM-supply-chain-attacks
VirusTotal
· hxxps://www.virustotal.com/gui/file/46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
