Threat Research

Datadog threat roundup: Top insights for Q3 2025

DataDogHQ
Datadog threat roundup: Top insights for Q3 2025

Datadog observed a rise in supply-chain and developer-tooling attacks in Q3 2025, including widespread npm account compromises via phishing and a self-replicating npm worm (Shai-Hulud) that exfiltrated GitHub tokens and propagated across packages. The report also highlights malicious VS Code extensions, AI-assisted malware (e.g., LameHug) using external LLM APIs, and persistent risks from long-lived cloud credentials and fraudulent deepfake job profiles. #Shai-Hulud #S1ngularity

Keypoints

  • Attackers increasingly compromise npm maintainer accounts via phishing sites (e.g., npmjs.cam, npnjs.com, npmjs.help) to publish malicious package versions that can impact many developers.
  • The S1ngularity campaign (Aug 26, 2025) used AI CLI tools for scanning and exfiltration and abused GitHub tokens to publish stolen data to public repositories named like “s1ngularity-repository”.
  • The Shai-Hulud worm (Sep 16, 2025) self-replicated across npm packages, stole GitHub and cloud credentials, exfiltrated to a webhook, and used compromised credentials to inject malicious package updates into other projects.
  • Malicious and typosquatted VS Code extensions continue to be distributed (including backdoored legitimate extensions like Amazon Q), with payloads executing PowerShell for remote access, cryptomining, or data theft; delisting alone is insufficient to remove risk.
  • Threat actors are using AI services and LLMs at runtime (e.g., HuggingFace, Qwen) to dynamically generate malicious commands and scale operations, and some malware embeds large sets of compromised AI service tokens.
  • Long-lived cloud credentials remain a major weakness—many organizations use IAM users or service account keys older than a year, enabling discovery via secret scanners and subsequent enumeration (e.g., SES, Bedrock).
  • Fraudulent remote IT worker campaigns leveraging deepfakes and automated application tooling are expanding beyond tech companies into healthcare, finance, and government sectors.

MITRE Techniques

  • [T1583] Acquire Infrastructure – Attackers registered phishing domains (e.g., “npmjs.cam”, “npnjs.com”, “npmjs.help”) to host fake npm websites and harvest maintainer credentials: ‘Screenshot of a sample phishing website, npmjs[.]cam, identified by Datadog in September 2025.’
  • [T1193] Spearphishing Attachment / [T1531] Account Manipulation – Phishing campaigns targeted maintainer 2FA reset flows and credentials to publish malicious npm package versions: ‘the official maintainer … confirmed a compromise. This breach resulted from a 2FA reset phishing campaign originating from [email protected].’
  • [T1204] User Execution – Malicious VS Code extensions rely on users installing or auto-updating extensions (including typosquatted ones) to execute arbitrary JavaScript inside the IDE: ‘extensions auto-update by default, a hijacked / a publisher with malicious intent could push that change silently to every installed copy.’
  • [T1059] Command and Scripting Interpreter – Payloads executed PowerShell scripts to download further tools, establish persistence, and enable remote control (e.g., ScreenConnect installer): ‘it executes a powershell script … first grabs a randomly named ScreenConnect installer … and runs it with admin rights.’
  • [T1566] Phishing – Phishing-resistant MFA recommendations (WebAuthn/FIDO2) discussed because attackers used adversary-in-the-middle (AitM) to forward TOTP tokens: ‘only phishing-resistant forms such as WebAuthn/FIDO2 defeat such phishing campaigns … attackers were using adversary-in-the-middle (AitM) to steal and forward TOTP tokens.’
  • [T1608] Stage Capabilities – Malware used AI/LLM tooling at runtime (e.g., HuggingFace Qwen 2.5 Coder) to dynamically generate malicious commands and payloads: ‘LameHug … uses the HuggingFace API to dynamically generate malicious commands using the Qwen 2.5 Coder 32B model.’
  • [T1110] Brute Force / T1078] Valid Accounts – Threat actors leveraged compromised GitHub tokens and long-lived cloud credentials to access and abuse cloud and repository resources, then used those credentials to publish malicious packages or exfiltrate data: ‘it exploited the user’s GitHub token to create public repositories … containing the stolen data.’
  • [T1535] Transfer Data to Cloud Account – Exfiltration by uploading stolen data to attacker-controlled GitHub repositories (e.g., “Shai-Hulud”) and to webhook endpoints: ‘exfiltrated this information to a webhook endpoint and used the compromised GitHub credentials to upload the stolen data to a repository named “Shai-Hulud.”‘

Indicators of Compromise

  • [Domain] phishing domains used to harvest npm credentials – npmjs.cam, npnjs.com (and npmjs.help)
  • [Package name] malicious or compromised npm packages – @nx/[email protected] (malicious sample with S1ngularity behavior), packages affected by Shai-Hulud (over 500 packages)
  • [Extension name] malicious VS Code extensions and impersonations – JuanFBlanco.awswhh, VitalikButerin-EthFoundation.blan-co, ShowSnowcrypto.SnowShoNo, Amazon Q (backdoored official extension)
  • [URL] malicious download URLs / scripts – example PowerShell script URL: niggboo[.]com/aaa (used to fetch ScreenConnect installer)
  • [Repository name] exfiltration targets – public repositories named “s1ngularity-repository”, “s1ngularity-repository-{random}”, and “Shai-Hulud”
  • [Technique artifact] AI prompt indicators – PROMPT strings used to locate wallet/key files on victim machines (seen embedded in malicious package code) and lists of compromised AI service tokens (hundreds embedded in at least one malware sample)

Read more: https://securitylabs.datadoghq.com/articles/2025-q3-threat-roundup/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint