November 30th, 2025

Synopsis

The analysis shows that Shai-hulud 2.0 is a highly capable supply-chain threat that compromises CI/CD workflows, developer accounts, and cloud secret stores to harvest credentials, weaponize npm packages, and propagate automatically across dependent systems, creating a scalable and repeating compromise pattern. This understanding shapes strategic decisions by requiring stronger governance over software-supply-chain risk, dependency management, and cloud-identity architecture, while operational teams must prioritize CI/CD hardening, expanded cloud-audit visibility, and faster credential-rotation practices, and tactical units must enhance monitoring, detection logic, and workflow-level safeguards. The campaign materially increases organizational risk posture by elevating both the probability of compromise and the potential for downstream impact across cloud and customer environments, while FAIR modeling shows moderate loss frequency but potentially high magnitude, underscoring the need for improved resilience in build pipelines, credential governance, and dependency-integrity controls. Financial resilience is affected because response, rebuild, and downstream customer-support costs can escalate quickly, making investments in preventative CI/CD security, automated secret-management, and supply-chain governance economically justified relative to the losses modeled in the scenario.

Evaluated Source, Context, and Claim

Artifact Title

Shai Hulud Strikes Again (v2)

https://socket.dev/blog/shai-hulud-strikes-again-v2

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html

Source Type

Cybersecurity blog post

Publication Date

November 24, 2025

November 27, 2025

Credibility Assessment

Both Socket’s research team and Trend Vision One are established cybersecurity intelligence sources known for technically detailed, verifiable reporting on supply-chain and malware campaigns. The depth, consistency, and observable indicators across both posts support a high level of credibility.

General Claim

The OSINT collectively reports that the Shai-hulud 2.0 campaign compromises npm and Maven ecosystems, steals multi-cloud and developer credentials, abuses CI/CD pipelines and GitHub workflows, and automatically backdoors packages to enable large-scale, wormable supply-chain propagation.

Narrative Reconstruction

The OSINT describes an unidentified but technically capable threat actor conducting a large-scale software supply-chain campaign referred to as Shai-hulud 2.0, showing behaviors consistent with a sophisticated financially motivated or hybrid-motive actor. The activity reflects a kill-chain-like flow in which initial access is obtained through manipulation of CI/CD workflows or compromised maintainer accounts, followed by automated installation of a loader and execution of a Bun-based malware payload, which harvests cloud credentials, GitHub authentication tokens, NPM tokens, and other sensitive secrets. The actor then uses these credentials to escalate access, exfiltrate system information, establish command-and-control through malicious GitHub repositories and workflows, and automatically backdoor and republish NPM packages maintained by compromised developers. The targeted assets include developer ecosystems, GitHub repositories, CI/CD pipelines, cloud secret managers across AWS, GCP, and Azure, and downstream users who install affected packages; where not explicitly named, any environment containing developer tokens, API keys, or build credentials is a plausible target. The operational goal appears to be scalable supply-chain compromise enabling credential theft, privilege expansion across cloud and developer platforms, and widespread propagation through poisoned packages that execute automatically on installation, creating a self-reinforcing compromise mechanism that can impact thousands of dependent systems.

Risk Scenario

Risk Scenario

A sophisticated threat actor conducts a software supply-chain attack against developer and CI/CD environments, using compromised maintainer credentials and malicious preinstall scripts to steal cloud and GitHub secrets and automatically republish backdoored NPM packages, resulting in unauthorized access to sensitive cloud resources, compromise of software distribution channels, and potential destructive actions against affected systems.

Threat

The threat is an unidentified but technically advanced actor conducting the Shai-hulud 2.0 supply-chain campaign, demonstrating capabilities consistent with a sophisticated financially motivated or hybrid-motive group. The actor compromises developer accounts or CI/CD workflows, steals cloud and GitHub credentials, and automatically modifies and republishes NPM packages to facilitate broad propagation.

Method

The actor abuses CI/CD workflows, poisoned pull requests, and compromised maintainer credentials to obtain initial access, deploys a Bun-based malware payload via preinstall scripts, harvests AWS, GCP, Azure, and GitHub secrets, establishes command-and-control using attacker-created GitHub repositories and workflows, and repackages and republishes NPM packages with malicious preinstall hooks that enable automated dissemination.

Asset

The targeted assets include NPM packages maintained by victims, developer machines, CI/CD pipelines, GitHub repositories, cloud secret managers across AWS, GCP, and Azure, and any downstream systems that install the compromised packages. Where the OSINT does not specify explicit targets, any environment containing developer credentials, cloud secrets, or build-pipeline tokens is a reasonable target class.

Impact

The compromise may enable large-scale credential theft, unauthorized access to cloud accounts, modification and republishing of trusted software packages, widespread downstream infection, loss of confidentiality of sensitive secrets, potential privilege escalation in CI environments, and in some cases destructive file wiping when the malware fails to obtain credentials.

Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.

Threat Event Frequency (TEF)

A reasonable estimation of Threat Event Frequency can be expressed by multiplying Contact Frequency and Probability of Action. The OSINT shows that Shai-hulud 2.0 is not a single-target intrusion but a mass-automation supply-chain campaign that republishes malicious versions of hundreds of npm packages, opportunistically compromises maintainers, and propagates through any CI/CD pipeline that installs tainted dependencies. Because these packages are continuously downloaded across the ecosystem and because the malware automatically attempts credential harvesting and package backdooring whenever contact occurs, the Probability of Action remains high once an organization encounters an infected package or workflow. Using the most likely values, this results in TEF = 1.2 × 0.70, or approximately 0.8 expected attack events per year. Given the campaign’s demonstrated scale, automation, and repeated resurfacing across multiple ecosystems, the lower and upper bounds yield a reasonable TEF range of roughly 0.4 to 1.5 events annually, reflecting that most organizations actively using npm or GitHub will periodically encounter Shai-hulud–tainted components even without direct targeting.

Contact Frequency (CF)

The two OSINT sources describe Shai-hulud 2.0 as a large-scale, automated supply-chain campaign that has compromised hundreds of npm packages and propagated into Maven, indicating broad and repeated contact with organizations using npm, GitHub, and CI/CD pipelines. Because malicious versions can enter dependency chains, CI workflows can process tainted code, and maintainers can be indirectly targeted through poisoned pull requests or compromised packages, a reasonable CF estimate for an average software-producing or software-consuming organization is 1–3 meaningful contact opportunities per year, with 1.2/year as the most likely.

Probably of Action (PoA)

The Probability of Action (PoA) once the actor has contact appears high because the campaign is automated, aggressively republishing backdoored packages and systematically harvesting secrets; a justified PoA for a contacted, similarly exposed organization is roughly 60–80%, with a most likely value near 70%.

Threat Capability (TCap)

Shai-hulud 2.0 demonstrates a high level of technical capability through its ability to compromise maintainer accounts, weaponize CI/CD workflows, backdoor npm packages at scale, and propagate across both JavaScript and Java ecosystems. The malware includes a multi-stage loader, automated Bun-runtime installation, privilege escalation on GitHub Actions runners, multi-cloud credential harvesting, and malicious workflow injection for C2 and secret exfiltration. These characteristics indicate a mature, automated, and adaptable toolset capable of bypassing common software-supply-chain controls. Estimated TCap on a FAIR 1–10 scale: low 7, most likely 8, high 9.

Exploit sophistication: The threat routinely abuses CI/CD mechanisms such as pull_request_target, modifies sudoers files via Docker-based privilege escalation, harvests GitHub, AWS, GCP, and Azure secrets, and automatically repackages and republishes npm packages with malicious installers. Its kill-chain behavior reflects advanced supply-chain exploitation that goes beyond simple credential theft.

Bypass ability: Shai-hulud 2.0 bypasses traditional detection by embedding malicious preinstall scripts in trusted package updates, suppressing output, running in detached background processes, triple-encoding exfiltrated data, and leveraging legitimate cloud APIs and GitHub Actions infrastructure for stealth and persistence. These behaviors indicate strong capability to evade standard dependency scanning, CI logs, and secret-detection mechanisms.

Tooling maturity: The tooling includes modular collectors for AWS, GCP, and Azure; automated TruffleHog deployment; resilient C2 using attacker-created GitHub repositories; multi-platform runner deployment; and a fully automated package-backdooring pipeline supporting up to 100 packages in parallel. This reflects a highly engineered and continuously operational malware framework.

Campaign success rate: The campaign has successfully compromised hundreds of npm packages, reached Maven through mirrored artifacts, spread across thousands of downstream users, and repeatedly reestablished control through self-healing mechanisms and credential harvesting. Its ability to produce wide-scale, repeated compromise supports a threat capability estimate in the 7–9 FAIR range.

Control Strength (CS)

Resistive Strength (RS)

The OSINT describing Shai-hulud 2.0 highlights weaknesses common across modern software-development environments, including CI/CD workflows that can be triggered by untrusted pull requests, broad availability of secrets to build jobs, insufficient isolation of publishing credentials, and limited preventive controls around dependency integrity. Many organizations rely on basic dependency scanning, default GitHub Actions permissions, and manual secret rotation, all of which are ineffective against a threat that repackages trusted packages and abuses legitimate CI pipelines. In typical development environments where dependency hygiene varies, CI/CD hardening is uneven, and secret-scanning and signing practices are inconsistently applied, overall Resistive Strength is reasonably estimated at 3–6 on a 1–10 scale, with 4.5 as the most likely value.

Control Failure Rate

Shai-hulud 2.0 succeeds largely because common controls—package-integrity checks, build-pipeline permissions, secret-management policies, and dependency-trust assumptions—frequently fail under real conditions. Its ability to abuse trusted package updates, automatically harvest multi-cloud and GitHub credentials, escalate privileges inside GitHub Actions runners, and evade secret-detection by triple-encoding exfiltrated data demonstrates that preventive and detective mechanisms are often bypassed in practice. When RS is compared to the actor’s demonstrated capability and automation, the implied Control Failure Rate falls in the range of approximately 50–75 percent, with a most likely value of about 65 percent.

Susceptibility

Susceptibility represents the probability that an asset will be harmed once the threat acts, based on the relationship between Threat Capability and Control Strength. In this case, Shai-hulud 2.0 exhibits high capability (most likely 8/10) through its automated supply-chain compromise, multi-cloud credential harvesting, and CI/CD workflow manipulation, while the estimated Control Strength (most likely 4.5/10) reflects uneven dependency hygiene, permissive CI defaults, and inconsistent secret-management practices in many development environments. This disparity creates elevated vulnerability, but several limiting factors reduce the probability of harm: not all organizations rely on the specific compromised packages, some maintain partially hardened CI pipelines, ecosystem-level remediation (package takedowns, revocation of stolen tokens) shortens exposure windows, and organizations with strict trusted-publishing and minimal secret exposure in CI/CD substantially reduce exploitability. Considering attack surface, exposure conditions (installation of tainted dependencies, workflow triggers, cloud access patterns), and typical patch and pipeline-hardening practices, the justified Vulnerability range is low 35%, most likely 55%, and high 75%. For FAIR modeling, the Susceptibility for this Shai-hulud 2.0 scenario is therefore set at 55% as the most likely probability of harm when the threat acts.

Numerical Frequencies and Magnitudes

All values below are example/speculative values only and must be recalibrated to each organization’s own asset values, control strength, and telemetry.

Loss Event Frequency (LEF)

0.44/year (estimated)

• Justification: Using LEF = TEF × Vulnerability, the most likely inputs (0.8 annual threat events × 0.55 susceptibility) produce an estimated 0.44 events per year, or roughly one primary Shai-hulud–style loss event every 2–3 years. Across the plausible ranges for TEF (0.4–1.5) and susceptibility (0.35–0.75), the expected frequency spans from approximately 0.14 to about 1.1 loss events per year.

Vulnerability (probability of harm per contact): 0.55

• Justification: Shai-hulud 2.0 demonstrates high capability through automated supply-chain compromise, multi-cloud credential harvesting, and CI/CD manipulation, while many organizations maintain moderate or uneven CI/CD hardening, secret-scanning coverage, and dependency-control practices. This imbalance produces a credible probability of compromise in the 35–75 percent range, with 55 percent as a defensible midpoint for a typical organization using npm, GitHub, and cloud services.

Secondary Loss Event Frequency (SLEF)

0.20/year

• Justification: Software supply-chain compromises commonly trigger downstream consequences such as customer notifications, partner remediation, contractual impacts, and potential regulatory review when secrets or cloud resources are abused. Assuming roughly 35–50 percent of primary events escalate into secondary impacts for organizations with moderate dependency exposure, the most likely SLEF is approximately 0.20 events per year.

Loss Magnitude (LM)

Estimated range:

• Minimum: $500,000

• Most Likely: $2,000,000

• Maximum: $10,000,000

Justification:

Minimum estimates reflect targeted containment, CI/CD pipeline cleanup, secret revocation, and limited compromise of cloud credentials. Most-likely values incorporate broader remediation, regeneration of publishing credentials, full dependency-tree review, cloud-identity recovery, business interruption, and consulting and DFIR costs. Maximum values represent large-scale propagation, extensive secret exposure across multi-cloud environments, significant operational disruption, or downstream package poisoning requiring extensive customer or partner support.

Secondary Loss Magnitude (SLM)

Estimated range:

Minimum: $250,000

Most Likely: $1,000,000

Maximum: $5,000,000

Justification:

Secondary losses include legal and regulatory expenses, contractual penalties, public communication requirements, brand repair, and the cascading impact of compromised dependencies affecting customers or partners. Maximum values capture scenarios in which partner ecosystems are disrupted or where cloud credential abuse leads to extensive legal or commercial consequences.

Mapping, Controls, and Modeling

MITRE ATT&CK Mapping

Reconnaissance

T1596 – Search Open Technical Databases

Reference: “Before executing its main payload, the malware attempts self-healing by searching public GitHub repositories for the beacon phrase: ‘Sha1-Hulud: The Second Coming.’ This makes the malware self-healing—if a victim deletes previous malicious repositories, the attacker can re-seed victims through GitHub search.”

T1596 – Search Open Technical Databases

Reference: “The malware queries the NPM registry to discover all packages maintained by the authenticated victim… uses NPM's search API with the maintainer: filter to enumerate packages owned by the compromised account… requests up to 100 packages.”

Initial Access

T1195 – Supply Chain Compromise

Reference: “Multiple npm packages… have been compromised via account takeover/developer compromise… Added a preinstall script setup_bun.js in the package.json file… The attack uses a two-stage loader. When npm runs the preinstall script, it executes setup_bun.js… The package installation completes normally while the payload runs in the background.”

T1078 – Valid Accounts

Reference: “In the first Shai-Hulud Supply Chain compromise, the threat actor originally gained access through a compromised maintainer account, and likely did again.”

Execution

T1059.007 – Command and Scripting Interpreter: JavaScript

Reference: “Added a preinstall script setup_bun.js… The setup_bun.js file is a stealthy loader that silently installs or locates the Bun runtime and then executes a 10MB obfuscated and bundled malicious script (bun_environment.js) with all output suppressed.”

Reference: “The attack uses a two-stage loader. When npm runs the preinstall script, it executes setup_bun.js… Spawns a detached Bun process running bun_environment.js with POSTINSTALL_BG=1 flag… The package installation completes normally while the payload runs in the background.”

Privilege Escalation

T1548.003 – Abuse Elevation Control Mechanism: Sudo and Sudoers

Reference: “GitHub Actions Runner Privilege Escalation… On GitHub Actions runners (Linux only), the malware attempts to gain root access through sudoers manipulation… First attempts passwordless sudo… If that fails, exploits Docker privileges to write /etc/sudoers.d/runner… This grants the malware passwordless root access on GitHub Actions runners.”

Defensive Evasion

T1562.004 – Impair Defenses: Disable or Modify System Firewall

Reference: “Once privileged, the malware… Stops systemd-resolved… Replaces DNS configuration… Flushes iptables rules… sudo iptables -F OUTPUT… sudo iptables -F DOCKER-USER… This provides network-level control within CI environments, enabling… Blocking security scanners from reaching the internet… Prevention of security updates.”

T1027 – Obfuscated/Encrypted File or Information

Reference: “All exfiltrated data is encoded through three layers of base64 before upload… content → base64 → base64 → base64… Evades GitHub's built-in secret scanning… Bypasses third-party secret detection tools… Complicates forensic analysis of stolen data.”

Reference: “Reads a stored file containing a GitHub access token… Decodes it through three layers: base64 → base64 → base64.”

Credential Access

T1552 – Unsecured Credentials

Reference: “Captures entire environment including GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and all CI-injected secrets.”

Reference: “The malware also targets credentials from Azure Pod Identity… checks for the AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable… Beyond stealing static credentials, the malware uses stolen cloud credentials to access cloud-native secret management services.”

T1528 – Steal Application Access Token

Reference: “Reads a stored file containing a GitHub access token… Uses the recovered token as its primary credential for exfiltration.”

Reference: “Enumerates user repositories and extracts GitHub Actions workflow secrets. The malware then mines this data for NPM tokens (see worm propagation section).”

Discovery

T1082 – System Information Discovery

Reference: “The payload collects system information… ‘system’: { ‘platform’… ‘architecture’… ‘hostname’… ‘os_user’… }.”

T1526 – Cloud Service Discovery

Reference: “The implementation includes dedicated processes for AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault, each implementing the listAndRetrieveAllSecrets() method to enumerate and extract secrets stored in these services.”

Reference: “The AWS module loops through every available region, enumerating and dumping all secret values from AWS Secrets Manager in each. GCP Secret Manager and Azure Key Vault are similarly enumerated to retrieve all accessible secrets.”

Reference: “The Azure secret harvesting implementation… uses the Resource Manager API to list all Key Vault resources in the subscription… For each discovered vault, the malware instantiates a SecretClient and iterates through all secrets, retrieving their values.”

Collection

T1005 – Data from Local System

Reference: “Captures entire environment including GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and all CI-injected secrets.”

Reference: “TruffleHog Filesystem Scan… Runs trufflehog filesystem $HOME --json… Scans entire home directory for hardcoded secrets.”

Reference: “Uploads five JSON files to the victim's repository… contents.json (System info + GitHub creds)… environment.json (All env vars)… cloud.json (AWS/GCP/Azure secrets)… truffleSecrets.json (TruffleHog findings).”

Command and Control

T1102 – Web Service

Reference: “C2 Discovery via GitHub Search… the malware attempts self-healing by searching public GitHub repositories for the beacon phrase ‘Sha1-Hulud: The Second Coming.’… This makes the malware self-healing—if a victim deletes previous malicious repositories, the attacker can re-seed victims through GitHub search.”

Reference: “Creates a GitHub repository in the victim's account using the stolen GitHub token… Uploads five JSON files to the victim's repository… [using] the GitHub API.”

Exfiltration

T1567.001 – Exfiltration to Code Repository

Reference: “Creates a GitHub repository in the victim's account using the stolen GitHub token… All exfiltrated data is encoded through three layers of base64 before upload… Uploads five JSON files to the victim's repository… contents.json… environment.json… cloud.json… truffleSecrets.json.”

Reference: “Uses the recovered [GitHub access] token as its primary credential for exfiltration.”

Impact

T1485 – Data Destruction

Reference: “Windows: Deletes all files in %USERPROFILE%, removes directories, overwrites free space with cipher /W. Linux/macOS: Finds all writable user files, shreds them with single-pass overwrite, deletes empty directories.”

Reference: “The malware uses stolen cloud credentials to access cloud-native secret management services, while also exhibiting destructive code that wipes user data when unsuccessful in harvesting data.”

NIST 800-53 Affected Controls

AC-6 LEAST PRIVILEGE

Shai-hulud 2.0 abuses elevated runner and Docker privileges in GitHub Actions to grant itself passwordless root, directly undermining least-privilege expectations for build infrastructure. The malware attempts passwordless sudo and, if blocked, uses a privileged Docker container to write a new sudoers file (/etc/sudoers.d/runner), explicitly stating that this grants it passwordless root access on GitHub Actions runners.

Reference: “This grants the malware passwordless root access on GitHub Actions runners.”

SC-7 BOUNDARY PROTECTION

Once it has elevated privileges, the malware takes direct control of DNS and firewall settings inside CI environments, attacking boundary protection by reshaping outbound traffic and inspection paths. It stops systemd-resolved, replaces DNS configuration, flushes iptables rules, and then uses this network-level control to perform man-in-the-middle attacks inside CI, redirect package installs to malicious mirrors, block security scanners from reaching the internet, and prevent security updates.

Reference: “This provides network-level control within CI environments, enabling… man-in-the-middle attacks inside CI… redirection of package installs to malicious mirrors… blocking security scanners… [and] prevention of security updates.”

IA-5(7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS

The campaign systematically targets static credentials and secrets that are often stored in plaintext or weakly protected locations, directly attacking authenticator management practices that prohibit embedded, unencrypted secrets. Shai-hulud 2.0 captures entire CI/CD environments including GITHUB_TOKEN, NPM_TOKEN, cloud access keys, and all injected secrets, then runs TruffleHog across the user’s home directory to discover hardcoded credentials and stores the results as truffleSecrets.json.

Reference: “Captures entire environment including GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and all CI-injected secrets… runs trufflehog filesystem $HOME… scans entire home directory for hardcoded secrets.”

SR-3 SUPPLY CHAIN CONTROLS AND PROCESSES

The malware converts compromised maintainer accounts into an automated supply-chain weapon, directly attacking organizational controls meant to manage and assure the integrity of third-party code and components. OSINT describes how Shai-hulud 2.0 “automates supply chain compromise by backdooring all NPM packages maintained by the victim, republishing them with malicious payloads that execute on installation,” creating a wormable vector that can propagate across the npm ecosystem and potentially compromise thousands of downstream users.

Reference: “Automatically backdoors every NPM package maintained by the victim… creating a wormable vector capable of spreading exponentially across the NPM ecosystem and potentially compromising thousands of downstream users.”

SR-11 DEVELOPER SECURITY AND PRIVACY TESTING

Shai-hulud 2.0 hides inside normal development and build flows, highlighting failures or gaps in developer-focused security testing of dependencies, build tooling, and CI workflows. The campaign is delivered as an npm package with a malicious preinstall script ("preinstall": "node setup_bun.js") that automatically runs during installation, then uses a loader to fetch a Bun runtime and execute the main payload, mimicking legitimate installation procedures to evade detection and normal QA checks.

Reference: “Shai-Hulud 2.0 is delivered as an NPM package with a malicious preinstall script that executes automatically during the NPM installation process (modified package.json with ‘preinstall’: ‘node setup_bun.js’).”

CM-5 ACCESS RESTRICTIONS FOR CHANGE

The malware’s ability to create and modify GitHub Actions workflows and repositories using stolen tokens represents unauthorized, automated changes to configuration and code paths that should be tightly governed and reviewed. OSINT notes that Shai-hulud 2.0 “creates GitHub Actions workflows that allow for command-and-control (C&C)” and injects workflow mechanisms designed specifically to steal repository secrets, as well as creating repositories and saving artifacts like actionsSecrets.json and truffleSecrets.json for exfiltration.

Reference: “The malware also creates GitHub Actions workflows that allow for command-and-control (C&C). It also injects GitHub Actions workflow mechanisms that are specifically designed to steal repository secrets.”

SC-23 SESSION AUTHENTICITY

By manipulating DNS, firewall rules, and redirecting package traffic, Shai-hulud 2.0 directly threatens the authenticity of network sessions within CI/CD environments. The malware’s ability to perform man-in-the-middle attacks, redirect installs to malicious mirrors, and block scanners and updates shows it is actively undermining protections against session hijacking and the insertion of false information into sessions that SC-23 is intended to enforce.

Reference: “This provides network-level control within CI environments, enabling… man-in-the-middle attacks inside CI [and] redirection of package installs to malicious mirrors.”

Monitoring, Hunting, Response, and Reversing

Reducing susceptibility involves improving an organization’s ability to detect and understand abnormal activity before it causes harm. When monitoring, hunting, response, reverse-engineering, and CTI recommendations are implemented together, they close gaps that attackers rely on and create earlier, more reliable warning points. Stronger visibility, clearer detection logic, and faster containment limit an adversary’s opportunities to succeed. Combined, these practices form a layered defense that meaningfully lowers the likelihood that an exposed asset will be compromised.

Monitoring

Monitoring should prioritize high-fidelity telemetry from CI/CD runners, developer endpoints, GitHub audit logs, npm registry interactions, and cloud control planes alongside DNS, egress proxy, and identity data so that preinstall-script execution, Bun runtime downloads, and abnormal workflow behavior become visible, with log levels raised to capture process creation, sudoers modifications, DNS and firewall changes, environment-variable access, and outbound GitHub API traffic. The indicators of compromise show a highly automated and repeatable attack pattern defined by consistent malicious package structures, large-scale npm compromise, cross-ecosystem propagation, multi-cloud credential harvesting, and randomized GitHub repositories for exfiltration, revealing monitoring gaps such as limited visibility into runner OS activity and weak linkage between dependency events and cloud-secret behavior. To address this, organizations should enhance dependency-integrity controls, enforce trusted-publisher models, restrict workflow privileges, and implement behavioral detection for preinstall anomalies, detached Bun processes, bulk-secret enumeration, suspicious repository creation, and triple-base64–encoded exfil artifacts. Correlation logic should join package installation, preinstall execution, privilege escalation, cloud-secret spikes, and workflow creation into multi-stage alerts, while dashboards track secret-access patterns, workflow changes, and DNS/firewall anomalies. Because traditional static IOCs are insufficient for an evolving supply-chain campaign, monitoring strategies should be validated through simulated Shai-hulud–like activity to ensure pipelines, sensors, visualization tools, and alerting thresholds reliably detect this style of automated and propagating compromise.

Hunting

Hunting should start from hypotheses such as: a compromised maintainer or CI token is being used to backdoor packages; a CI runner has been used to enumerate all cloud secrets; or a GitHub token is being abused to create repos and workflows for exfiltration. Telemetry to pull includes GitHub audit and Actions logs, CI runner process and command history, package installation logs, cloud secret-management logs across all regions and subscriptions, and DNS/egress records for GitHub API and registry domains. Detection logic can look for patterns such as npm installs invoking preinstall scripts that fetch or execute Bun, runners writing to sudoers or modifying iptables and DNS, workflows that read large volumes of secrets or enumerate all packages owned by a maintainer, and repeated use of the same token to create new repositories or upload large JSON artifacts. Noise-to-signal considerations require separating legitimate automation from malicious behavior by focusing on unusual combinations and volumes (for example, secret reads across all regions by a single short-lived CI identity, or new repos created by a CI token that normally only runs tests), and by maintaining allow-lists for known build workflows while treating newly introduced workflows and scripts as higher-priority hunting targets.

Response

Response planning should emphasize rapid access to CI/CD logs, GitHub audit trails, workflow definitions, package manifest histories, runner OS logs, and cloud secret-management audit logs to reconstruct how the threat entered, what code and secrets it touched, and which packages were republished. Expected artifacts include modified package.json with malicious preinstall entries, Bun-related binaries and scripts on runners, altered sudoers files, flushed or rewritten iptables and DNS configs, GitHub repositories and workflows created via stolen tokens, and JSON files containing system, environment, and cloud-secret data stored or exfiltrated. Anti-forensic behavior such as log suppression within scripts, triple-encoded exfil data, and potential destructive wiping on endpoints should be assumed, requiring cross-correlation of host, GitHub, and cloud logs to reconstruct events. DFIR outputs should feed FAIR loss estimates by quantifying compromised secrets, cloud accounts, affected packages, and downstream consumers, as well as hours of response, rebuild scope, and any destructive impact. Likely containment includes revoking all affected GitHub and cloud credentials, disabling and rebuilding compromised workflows and runners, pulling backdoored packages, and rotating all secrets that may have been exposed. Priority artifacts are workflow YAMLs, package diffs, secret-access logs, and any exfil-related GitHub repos or artifacts, with telemetry requirements focused on capturing these at fine granularity and retaining them long enough to support multi-week investigations. DFIR validation should use controlled replay of known malicious workflows and preinstall behavior in a lab to confirm that current logging and playbooks are sufficient to detect and reconstruct a Shai-hulud–style incident.

Reverse Engineering

Reverse engineering should focus on the loader chain, starting from the altered package.json and setup scripts through to the Bun-based payload, documenting how the malware installs or locates Bun, launches obfuscated code, and then branches into privilege escalation, secret harvesting, and propagation routines. Analysts should characterize evasion techniques, including suppressed output, detached background execution, environment-variable capture, and triple-base64 encoding of exfiltrated data, and determine whether any persistence exists beyond the CI job scope (for example, dropped binaries or modified configs on long-lived runners). Indicators to extract include script names, Bun invocation patterns, API call structures for GitHub and cloud services, repository and workflow naming patterns, and file names and structures for secrets JSON artifacts. Dynamic hooks should instrument CI-like sandboxes to trace system calls, network traffic, and API interactions during a full install-and-run cycle, while static analysis should deobfuscate and map modular components handling AWS, GCP, Azure, and GitHub. Expected artifacts from analysis include signatures for loader and payload code, YARA rules for Bun bundles, and behavior-based profiles for workflow and secret-access misuse, with recommendations to share these with SOC, hunting, and CTI teams and to feed them into automated detection content.

CTI

CTI should refine priority intelligence requirements around whether this campaign has hit the organization’s sector, geography, or key partners; how frequently similar supply-chain campaigns appear in vendor and community reporting; which TTPs (such as CI workflow abuse, Bun-based loaders, and multi-cloud secret harvesting) are consistent across incidents; and which assets (maintainer accounts, CI tokens, cloud secret stores, and downstream customer environments) are repeatedly targeted. SIR evaluation should identify missing IOCs such as specific package names or versions, GitHub repo and workflow patterns, hashes of loader and payload components, cloud API endpoints most abused, and any infrastructure overlaps with other campaigns, as well as requirements for malware samples and richer telemetry from GitHub, cloud providers, and CI logs to validate suspected activity and improve attribution confidence. Collection should prioritize OSINT from security vendors, package ecosystems, and malware sandboxes; internal CI/CD, GitHub, and cloud telemetry; collaboration with ISACs and peer organizations facing similar supply-chain risks; and curated monitoring of malware repositories and threat-sharing platforms for new Shai-hulud variants and copycat campaigns. Mapping efforts should cluster observed infrastructure, packages, and workflows across incidents; map TTPs to ATT&CK in a repeatable way; compare with historical supply-chain compromises; and assess confidence levels for actor characterization and recurrence estimates. CTI should highlight emerging patterns like increased automation, expanded ecosystem reach, or new cloud-service abuse, continually testing and updating working hypotheses and ensuring that findings are translated into updated controls, hunting content, and FAIR risk parameters rather than remaining as static narrative reporting.

GRC and Testing

Governance

Governance should focus on updating software-supply-chain and CI/CD security policies to explicitly cover maintainer-account protection, trusted publishing, workflow-trigger restrictions, and secret-management requirements, while ensuring that oversight functions such as GRC, architecture review boards, and DevOps governance committees maintain recurring visibility into dependency-related risks. RA, PM, and PL family documents should be updated to reflect organizational expectations for third-party code integrity, secret-rotation cycles, CI runner hardening, and vendor-ecosystem exposure, with these requirements tied to measurable controls and reviewed at least annually. The risk register should add or update entries related to CI/CD compromise, maintainer account takeover, cloud-credential harvesting, and malicious package propagation, including FAIR-derived frequency and magnitude values from the scenario. Board and executive communication should translate this campaign into clear business-impact terms—unauthorized cloud access, downstream customer impact, and software integrity concerns—supported by periodic briefings on supply-chain control maturity, dependency governance improvements, and emerging threats in developer ecosystems.

Audit and Offensive Security Testing

Audit and offensive testing should evaluate whether existing CI/CD controls meaningfully prevent or detect behaviors seen in Shai-hulud 2.0, such as execution of arbitrary preinstall scripts, runner privilege escalation, unmonitored workflow creation, or cloud-secret over-permissioning, with audit findings emphasizing evidence gaps such as absent runner OS logs, insufficient workflow reviews, and weak secret-rotation practices. Policies and controls around package signing, maintainer identity protection, workflow permissions, and secret handling need validation through targeted red-team exercises and purple-team collaborations that attempt to reproduce key TTPs, including malicious preinstall execution, cloud-secret enumeration, and GitHub token abuse. Pen-testing scope should include developer laptops, CI runners, GitHub org settings, and cloud IAM configurations, ensuring testers can attempt exploitation paths that mirror the real threat. Exploit reproduction—such as safe versions of malicious preinstall scripts in a lab—should validate whether controls trigger alerts, block execution, or log adequately. Control validation should map outcomes to required improvements in CI hardening, credential governance, and workflow-security enforcement.

Awareness Training

Awareness training should highlight human failure modes that contribute to supply-chain exposure, such as weak maintainer-account hygiene, acceptance of unreviewed pull requests, and inconsistent scrutiny of dependency updates, even though the OSINT shows no phishing or social-engineering vectors. Training adjustments should target developers, build engineers, and administrators with role-specific guidance on detecting suspicious package-update behaviors, unusual workflow triggers, unexplained repository creation, and credential-access anomalies, while executives should receive high-level context on supply-chain integrity and governance expectations. Behavioral indicators employees should recognize include unexpected npm install behavior, new preinstall scripts in dependencies, unexplained runner privilege escalation, and bursts of cloud-secret access triggered by CI jobs. Phishing simulations do not directly apply but can be adapted to test recognition of suspicious contributor interactions or unexpected workflow-execution requests. Communication guidance should reinforce careful handling of access tokens, dependency-change approvals, and cloud credentials, along with regular reinforcement cycles that measure retention through periodic quizzes, code-review spot checks, and workflow-security exercises to ensure awareness remains aligned with the evolving supply-chain threat landscape.

Indicators of Compromise

List of Infected Packages