Shai-Hulud 3.0 NPM Variant Supply Chain Attack
BLUF
A new variant of the Shai-Hulud NPM supply chain attack has been identified, primarily in a likely test phase, designed to automatically spread and steal developer credentials and cloud keys via malicious NPM packages.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations with confirmed or suspected exposure to the Shai-Hulud 3.0 NPM supply chain activity:
Low-end total cost: $900,000 – $1.2M
(Rapid detection, limited credential scope, minimal downstream abuse)Typical expected range: $1.6M – $2.4M
Upper-bound realistic scenarios: $3M – $4.2M
(Widespread credential theft, CI/CD compromise, customer assurance demands, and regulatory review)
Key cost driver:
Costs are driven less by system outages and more by loss of trust in development integrity. The need to re-establish assurance across source code, build pipelines, and cloud access—combined with extensive credential rotation and third-party validation—creates sustained financial drag even when operational disruption appears limited.
Targeted Sectors
· Developers and organizations using the npm ecosystem
· Cloud service providers
o Amazon Web Services (AWS)
o Google Cloud Platform (GCP)
o Microsoft Azure
· Version control and collaboration platforms
· Continuous Integration/Continuous Deployment (CI/CD) pipelines
· Software development and technology (specifically users of the NPM package manager and related development ecosystems).
Countries
· Global
The original campaign affected
· Zapier
· ENS Domains (Ethereum Name Service)
· PostHog
· Postman
Date of First Reported Activity Shai-Hulud 3.0 Variant
· December 28, 2025
Original Shai-Hulud Campaign
· November 21–23, 2025
Date of Last Reported Activity Update
· December 29, 2025
APT Names
· APT groups have not been publicly disclosed at this time
Associated criminal organization names
· Criminal organizations have not been publicly disclosed at this time
IOCs
Malicious Files Created
The malware creates the following files in compromised systems:
· cloud.json
· contents.json
· environment.json
· truffleSecrets.json
· data.json (contains encoded secrets)
Malicious Scripts
· setup_bun.js (dropper)
· bun_environment.js (heavily obfuscated core payload)
GitHub Indicators
· Presence of a GitHub Actions workflow file named shai-hulud-workflow.yml.
· Stolen credentials are exfiltrated to attacker-controlled GitHub repositories which often have descriptions referencing "Shai-Hulud".
Network Indicators
· Outbound connections to webhook[.]site.
· Access to cloud metadata endpoints (e.g., AWS, Azure, GCP) to steal cloud platform keys.
· Network traffic anomalies and connections to known malicious IP addresses or C2 servers.
Tools Used in Campaign
· Malicious NPM packages
o Custom scripts for credential harvesting.
CVEs and CVSS Vectors
· No specific CVEs listed as this is a new malware/social engineering campaign, not an exploit of a single software vulnerability.
Nessus ID
· Not applicable at this time
Mitigation
· Software developers should implement code signing and verification processes
· Conduct regular security assessments of third-party components
· Use security tools to continuously scan software components
· Avoid using mutable version tags like @latest or @v1
o Pin dependencies to specific, immutable versions.
Patch Release Date
· Not applicable
URL Link to Patch
· Not applicable
Malware Names
· Shai-Hulud 3.0 (variant name)
o The malware uses abusive preinstall lifecycle scripts to execute a payload.
Malware Samples
sha256
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
URL Link to sample
· hxxps://www.virustotal.com/gui/file/46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
TTPs
TA0001 - Initial Access
· T1078 - Valid Accounts (achieved via phishing for npm tokens and GitHub credentials)
· TA0002 - Execution
· T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (implied, as malware runs upon package installation)
· T1059.004 - Command and Scripting Interpreter: JavaScript (malicious code injected into npm package lifecycle scripts, such as "pre-install", to ensure execution on build servers)
TA0003 - Persistence
· T1136.002 - Create Account: Cloud Account (potentially, by using stolen credentials to create new infrastructure or accounts)
· T1078 - Valid Accounts (maintains access through stolen credentials).
· Unauthorized workflows in .github/workflows (e.g., shai-hulud.yaml) for backdoor access
TA0004 - Privilege Escalation
· T1078 - Valid Accounts
TA0005 - Defense Evasion
· T1036.003 - Masquerading: Rename Legitimate Utilities (malicious files potentially named to blend in).
· Bypassing static scanning tools by executing during the pre-install phase.
· Making the Shai-Hulud repository private to hide it from discovery.
TA0006 - Credential Access:
· T1552.001 - Unsecured Credentials: Information from Files or External Systems (scans the file system for credentials using tools like TruffleHog).
· Stealing specific credentials: GitHub Personal Access Tokens (PATs), AWS keys, GCP credentials, Azure credentials, and npm tokens
TA0007 - Discovery:
· T1083 - File and Directory Discovery (scans the home directory and environment for exposed secrets)
OS Reconnaissance
TA0008 - Lateral Movement
· T1210 - Exploitation of Remote Services (uses stolen credentials to compromise other developer accounts and systems).
TA0009 - Collection
· T1005 - Data from Local System (collects sensitive information and credentials from the compromised system)
TA0010 - Exfiltration
· T1041 - Exfiltration Over C2 Channel (exfiltrates stolen data to public GitHub repositories controlled by the attacker, using them as drop boxes)
TA0011 - Command and Control
· T1102 - Web Service (uses GitHub repositories for data exfiltration and potential command signalling)
TA0040 - Impact
· T1490 - Inhibit System Recovery (Version 2.0 included a "dead man's switch" designed to delete user data if containment was detected).
TA0043 - Software Supply Chain
· T1588.002 - Obtain Capabilities: Tool (uses the legitimate tool TruffleHog).
· T1651 - Supply Chain Compromise (injects malicious code into legitimate open-source packages
Suggested Rules / Potential hunts
Suricata Network Rules
Detect automated creation of repositories with the campaign's signature names.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shai-Hulud GitHub Repo Creation Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/user/repos"; http_uri; content:"Shai-Hulud"; http_client_body; sid:1000001; rev:1;)
Shai-Hulud often POSTs secrets to specific public webhook services
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shai-Hulud Webhook Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"webhook.site"; http_header; content:"/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7"; http_uri; sid:1000002; rev:1;)
The 3.0 variant frequently installs the Bun runtime via network fetch to execute obfuscated payloads.
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Shai-Hulud Bun Runtime Installation Script Fetch"; flow:established,to_server; content:"setup_bun.js"; sid:1000003; rev:1;)
SentinelOne Deep Visibility & STAR Rules
Query
ProcessName = "bun" AND CommandArgs CONTAINS "bun_environment.js"
Workflow Integrity Monitoring
Detect unauthorized writes to GitHub Actions workflows, which the worm uses for persistence.
Query
FilePath CONTAINS ".github/workflows/" AND (FilePath CONTAINS "shai-hulud" OR FileContent CONTAINS "toJSON(secrets)")
Unattended Runner Registration
Detect malicious registration of self-hosted runners.
Query
ProcessName = "config.sh" AND CommandArgs CONTAINS "--unattended" AND CommandArgs CONTAINS "Shai-Hulud"
Splunk Threat Hunts
Search for the automated execution of scanning tools used by Shai-Hulud.
index=main sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 (Image="*trufflehog*" OR CommandLine="*trufflehog*") | stats count by host, user, CommandLine
Exfiltration File Creation
Monitor for the specific JSON files created by the malware before exfiltration.
index=main sourcetype=sysmon EventCode=11 (TargetFilename="*cloud.json" OR TargetFilename="*truffleSecrets.json" OR TargetFilename="*environment.json") | table _time, host, TargetFilename
Unauthorized NPM Publishes
Identify unexpected npm publish commands that may indicate the worm is propagating using stolen tokens.
index=main (CommandLine="*npm publish*" OR CommandLine="*npm version*") | stats count by host, user, CommandLine | where count > [YourBaseline]
Delivery Method
· Malicious versions of legitimate packages uploaded to the public NPM registry by leveraging stolen maintainer credentials.
Email Samples
· Delivery is via the NPM repository, not email phishing.
References
VirusTotal
· hxxps://www.virustotal.com/gui/file/46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
Arctic Wolf
· hxxps://arcticwolf.com/resources/blog/shai-hulud-malware-targets-numerous-npm-packages-second-wave-npm-supply-chain-attack
SOC Radar IO
· hxxps://socradar.io/blog/shai-hulud-the-second-coming-npm-campaign/
Binance
· hxxps://www.binance.com/en-AE/square/post/12-29-2025-new-variant-of-npm-supply-chain-attack-emerges-34350296264586
Phemex
· hxxps://phemex.com/news/article/new-variant-of-shaihulud-supply-chain-attack-detected-49790
CheckMarx
· hxxps://checkmarx.com/zero-post/shai-huluds-second-coming-npm-malware-attack-evolved
JFrog
· hxxps://jfrog.com/blog/shai-hulud-npm-supply-chain-attack-new-compromised-packages-detected
Wiz IO
· hxxps://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
