Full Report
On September 15, 2025, malicious versions of multiple popular packages were published to npm with a post-install script that harvested sensitive developer assets and exfiltrated data to attacker-created public GitHub repos named Shai-Hulud. Wiz Research estimates that this act...
Analysis Summary
# Tool/Technique: Malicious npm Packages (Shai-Hulud Campaign)
## Overview
A supply chain attack conducted via the npm public registry where multiple popular packages were backdoored with a malicious post-install script designed to harvest sensitive developer assets (secrets, environment variables, cloud keys) and exfiltrate them to attacker-controlled public GitHub repositories named "Shai-Hulud." The infection can propagate automatically by publishing malicious package versions if additional npm tokens are found.
## Technical Details
- Type: Malware Family/Campaign (Supply Chain Attack)
- Platform: JavaScript/Node.js ecosystem (npm)
- Capabilities: Credential harvesting, secret scanning, token abuse, self-propagation (worm-like behavior), data exfiltration via GitHub Actions.
- First Seen: September 15, 2025
## MITRE ATT&CK Mapping
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Implied via environment variable harvesting)
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (Harvesting code/secrets)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Exfiltration via GitHub or webhook)
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Distribution via public registry)
## Functionality
### Core Capabilities
* **Initial Delivery:** Malicious code executes immediately post-installation due to a malicious `post-install` script within the compromised npm package.
* **Credential Harvesting:** Gathers sensitive developer assets, including environment variables and IMDS-exposed cloud keys.
* **Secret Scanning:** Utilizes the **TruffleHog** tool to actively scan code repositories for embedded secrets.
* **Token Validation & Abuse:** Validates harvested credentials, specifically focusing on GitHub tokens.
### Advanced Features
* **Self-Propagation Mechanism:** If npm tokens are discovered in the victim environment, the malware automatically publishes malicious versions of any accessible packages, acting as a self-propagating worm.
* **Repository Tampering:** Abuses valid GitHub tokens to:
1. Create a new, public GitHub repository named `Shai-Hulud` containing harvested secrets.
2. Push a new, malicious GitHub Actions workflow to all accessible repositories to exfiltrate those repositories’ secrets.
3. Migrate private organizational repositories to public personal repositories under the attacker-controlled user, appending a `-migration` suffix and setting the description "Shai-Hulud Migration."
* **Downstream Link:** The campaign appears to be a downstream result of earlier token exfiltration observed during the "s1ngularity campaign."
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Malicious components hidden within names of popular npm packages.
- Registry Keys: Not applicable (Focus is on file system/runtime environment in Node.js).
- Network Indicators:
- Exfiltration C2 (GitHub Actions Workflow): `hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7`
- C2 Destination (Secrets Dump): Attacker-controlled public GitHub repositories named `Shai-Hulud`.
- Behavioral Indicators: Execution of unknown scripts from npm post-install hooks; creation of new *public* repositories named `Shai-Hulud`; modification of existing GitHub Actions workflows; migration of private repos to public visibility.
## Associated Threat Actors
- Unknown (Associated contextually with the "s1ngularity / Nx supply chain attack").
## Detection Methods
- Signature-based detection: Identifying specific hashes of the initial malicious package versions (if available from full analysis).
- Behavioral detection: Monitoring for anomalous execution of post-install scripts in dependency management tools, scanning for secrets (TruffleHog activity), and API calls related to GitHub repository creation/migration or secret exfiltration originating from a CI/CD runner or development machine.
- YARA rules: Not available from the context.
## Mitigation Strategies
- **Source Trust:** Limit dependence on packages from untrusted sources or those without strong community vetting, especially during initial download spikes.
- **Dependency Scanning:** Implement continuous scanning of dependencies for known malicious payloads within installation scripts (`package.json` scripts).
- **Least Privilege (Secrets):** Ensure dependency installation environments (CI/CD or local dev machines) operate with the absolute minimum necessary credentials, especially avoiding broad npm write tokens or overly permissive GitHub permissions that allow repository modification/migration.
- **Token Scoping:** Review and restrict the scope of any deployed GitHub tokens to prevent worms from gaining write access across entire organizations or users.
## Related Tools/Techniques
- **TruffleHog:** Used by the malware as an integrated tool for secret scanning.
- **s1ngularity Campaign:** The predecessor campaign believed to have supplied the initial GitHub tokens necessary for this attack's viability.
- Package Supply Chain Attacks (General Pattern).