Full Report
Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign. [...]
Analysis Summary
# Tool/Technique: Shai-Hulud (AntV Campaign Variant)
## Overview
Shai-Hulud is a sophisticated supply-chain malware family designed to infect package manager ecosystems (primarily npm). Its purpose is to compromise developer workstations and CI/CD environments to steal sensitive credentials and secrets. The malware is notable for its self-propagating nature, where it uses stolen tokens to infect and republish legitimate packages managed by the victim, further spreading the infection.
## Technical Details
- **Type:** Malware (Infostealer / Worm)
- **Platform:** Cross-platform (Node.js environments, CI/CD runners, Developer workstations)
- **Capabilities:** Credential theft (GitHub, npm, Cloud, Kubernetes, SSH, etc.), automated self-propagation, encrypted exfiltration, and Sigstore attestation abuse.
- **First Seen:** September 2024 (Latest wave: May 2026)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- [T1528 - Steal Application Access Token]
- **[TA0010 - Exfiltration]**
- [T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository]
- [T1041 - Exfiltration Over C2 Channel]
- **[TA0003 - Persistence]**
- [T1534 - Internal Defacement (Republishing Malicious Packages)]
## Functionality
### Core Capabilities
- **Mass Secret Harvesting:** Scans infected environments for GitHub, npm, Docker, Kubernetes, Vault, database, and SSH credentials.
- **Supply Chain Propagation:** Validates stolen npm tokens, downloads legitimate packages owned by the user, injects the `index.js` payload, and republishes them with incremented version numbers.
- **Encrypted Exfiltration:** Serializes and compresses data using Gzip, then secures it via AES-256-GCM and RSA-OAEP before transmission.
### Advanced Features
- **Sigstore Abuse:** Generates valid provenance attestations by abusing OIDC tokens from compromised CI environments, making malicious packages appear legitimate.
- **Multi-Channel Exfiltration:** Primarily uses the Session P2P network to evade standard network monitoring; fails back to creating rogue GitHub repositories under the victim's account to host stolen data.
- **Evasion:** Uses heavy obfuscation in the `index.js` payload and targets dormant packages that lack modern security features like OIDC trusted publishing.
## Indicators of Compromise
- **File Names:** `index.js` (at the root level of npm packages), `router_init.js` (earlier variants), `router_runtime.js` (earlier variants).
- **Network Indicators:**
- Session P2P network traffic.
- GitHub API calls for repository creation (unauthorized).
- [hXXp]://[C2-endpoint-defanged].com (specific endpoints vary by campaign wave).
- **Behavioral Indicators:**
- Unexpected `npm publish` events from CI/CD runners or developer machines.
- Automated creation of several thousand private/public GitHub repositories with serialized naming conventions.
- Unexpected Gzip/AES encrypted traffic directed toward P2P nodes.
## Associated Threat Actors
- **TeamPCP** (Linked to the source code leak and early variants).
- Recent campaigns show use by multiple actors following the code leak.
## Detection Methods
- **Behavioral Detection:** Monitoring for unauthorized execution of `npm publish` and unusual API activity on GitHub/GitLab (e.g., rapid repo creation).
- **Static Analysis:** Scanning npm dependencies for heavily obfuscated JavaScript files or files containing RSA/AES logic not typical for the package's function.
- **Supply Chain Tools:** Using software composition analysis (SCA) tools to identify "bounced" versions of packages that were suddenly updated after long periods of inactivity.
## Mitigation Strategies
- **Secret Rotation:** Immediately rotate all cloud, npm, and GitHub tokens if an infection is suspected.
- **Hardening CI/CD:** Implement OIDC (OpenID Connect) for trusted publishing on npm and PyPI to eliminate the need for long-lived secrets.
- **Credential Scoping:** Use fine-grained access tokens with minimal permissions instead of classic PATs or full-access tokens.
- **Environment Isolation:** Use ephemeral, isolated runners for CI/CD processes to limit the scope of secret harvesting.
## Related Tools/Techniques
- **Mini Shai-Hulud:** A lighter variant sharing the same operational model but different payload structures.
- **Typosquatting/Dependency Confusion:** While Shai-Hulud uses account takeover, it shares objectives with these common supply chain attack vectors.