Threat Brief: Shai-Hulud Malware Campaign

Executive Summary (Sep 24, 2025)

A self-replicating malware campaign—dubbed Shai-Hulud—is compromising hundreds of npm packages and automatically spreading by stealing developer and CI/CD credentials, then republishing infected versions across all packages owned by newly compromised maintainers. Several well-known libraries and even packages published under CrowdStrike namespaces were briefly affected (CrowdStrike says Falcon/platform are not impacted). Analysis confirms the scope has grown significantly, with tallies now exceeding 500 packages and security agency alerts being issued.

Why it matters: Unlike prior one-off npm compromises, Shai-Hulud behaves as a worm. One developer’s environment or CI runner can turn into an amplification node that silently repackages every library they publish—propagating the compromise through software supply chains at ecosystem speed. The addition of techniques that publicly expose private source code has elevated the risk beyond credential theft. In response, both CISA and major platforms like GitHub have issued formal guidance and are accelerating security changes.

Credible What/When — Key Facts

• Name & nature: “Shai-Hulud” (after Dune’s sandworms). First detections reported Sep 15–16, 2025; campaign is self-replicating and secrets-stealing.
• Propagation: A malicious postinstall script executes a large bundle.js, harvests npm/GitHub/cloud tokens, plants a GitHub Actions workflow, exfiltrates secrets, and then republishes infected versions across the victim maintainer’s other packages. Techniques include creating pull requests from shai-hulud branches and making private repositories public.
• Scale: Publicly reported scope has grown from 180+ to over 500+ infected packages. Some analysts estimate ~700 likely repos via migration artifacts.
• Notables: Multiple packages under CrowdStrike’s npm presence were flagged and removed. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since issued a formal alert on the campaign.

Threat Narrative — For Leadership

Shai-Hulud turns the trust and automation of modern software delivery into a force multiplier. It piggybacks on routine npm install flows, steals short- and long-lived credentials from developer laptops and build agents, persists via GitHub Actions, and re-publishes itself across every package a victim maintains. The result is an ecosystem-level incident: even teams far from the initial blast radius face risk if any transitive dependency crossed paths with the worm during the window of exposure. The threat now explicitly includes the public leaking of private intellectual property, raising the stakes for all affected organizations.

Technical Deep Dive

Initial Access & Execution

A trojanized package (e.g., @ctrl/tinycolor@4.1.1/4.1.2) is installed. A postinstall hook runs a large bundle.js payload. The initial vector is widely believed to be a targeted phishing campaign against developers.

Secrets Harvesting

Payload invokes a secrets-scanner (TruffleHog), probes cloud metadata endpoints, and enumerates npm/GitHub/AWS/GCP/Azure tokens from env vars and local stores.

Persistence & Exfiltration

• Adds a GitHub Actions workflow that exfiltrates secrets to attacker webhooks and obfuscates logs.
• Technique: Creates a public GitHub repository named Shai-Hulud under the victim's account and commits a data.json file containing the stolen secrets.
• Technique: Converts the victim's private repositories to public, renaming them with a -migration suffix and adding "Shai-Hulud Migration" to the description.

Self-Replication

Using stolen tokens, the malware rebuilds and republishes each package owned by the victim, injecting the worm.

• Technique: For each repository the compromised account can access, it creates a new branch (shai-hulud), uploads the malicious workflow, and creates a pull request to merge it into the default branch.

MITRE ATT&CK Mapping

‍

Indicators of Compromise (IOCs) & Hunt Notes

File/Content

• Suspicious, large bundle.js invoked via postinstall.
• Sample Hashes (bundle.js):
  • SHA256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 (variants exist)
  • MD5: 78e701f42b76ccde3f2678e548886860, fbf3fe241abf21b1a732352a037edec0
• Temp Directory: Use of /tmp/github-migration as a working directory.

GitHub Repo/Org

• Repository Name: Shai-Hulud (created under a compromised user's account).
• Repository Description: "Shai-Hulud Migration"
• Branch Name: shai-hulud
• Workflow file: .github/workflows/shai-hulud-workflow.yml

Network

• Webhook URL: https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
• Suspicious API Calls to: secretsmanager.*.amazonaws.com, secretmanager.googleapis.com

Process Execution

• TruffleHog execution with arguments like filesystem /..
• npm publish commands with the --force flag.

How to Check if You’re Affected — 10-Minute Triage

1. Inventory & Pin: Dump a list of all npm dependencies (from lockfiles/SBOM) for builds between Sep 15–24, 2025; compare against public trackers.
2. GitHub Audit: Search your org for repos named Shai-Hulud, repos with description “Shai-Hulud Migration”, or branches named shai-hulud. Review Actions history for unusual steps or outbound webhooks.
3. Token Hygiene: Identify any npm/GitHub/cloud tokens present on machines/runners that performed npm install on suspect days; revoke/rotate immediately.
4. Endpoint Sweep: On developer laptops/CI runners, hunt for recent node/npm processes executing from temp dirs or large bundle.js artifacts.

Incident Response Playbook — Prioritized

1. Contain: Pause all publishes and pipeline promotions. Set npm config set ignore-scripts true in CI for emergency builds.
2. Eradicate: Replace trojanized packages with known-good versions. Remove malicious workflows, unknown webhooks/OAuth apps, and unrecognized PATs. Audit for and revert any private repositories that were made public.
3. Credential Reset: Rotate all npm tokens, GitHub tokens, and cloud credentials used on any box/runner that installed affected packages since Sep 15.
4. Hardening — Forward:
   • Require phishing-resistant MFA for npm & GitHub; enforce branch protection for workflow changes.
   • Transition to Trusted Publishing: Follow new GitHub guidance to adopt SLSA-style attestations and short-lived, scoped tokens instead of long-lived secrets in CI.
   • Policy: Ban postinstall for third-party deps in CI except for a vetted allow-list.

Timeline

Recommended Controls — Product & Platform Owners

• Package Policy: Ban postinstall for external deps in CI except for an allow-list; pin by SHA where possible.
• Identity & Secrets: Use short-lived, scoped tokens with enforced rotation (adopt GitHub's new trusted publishing model). Block outbound traffic to unknown webhook domains.
• Build Provenance: Adopt SLSA-style attestations and enforce signature/provenance verification on artifacts.
• Detection Engineering: Add rules for .github/workflows/* creation, alert on branch names like shai-hulud and "Shai-Hulud Migration" strings, and monitor for private repos being made public.

Resources

• CISA Alert: Widespread Supply Chain Compromise Impacting npm Ecosystem
• GitHub Blog: Our plan for a more secure npm supply chain
• Cyber Security News — NPM Supply Chain Attack Targets CrowdStrike Packages
• Infosecurity Magazine — Self-Replicating Worm Infects Hundreds of NPM Packages
• Dark Reading — Self-Replicating ‘Shai-Hulud’ Worm Spreads via npm Packages

‍