Threat Research

Shai-Hulud 2.0: Guidance for Detecting, Investigating, and Defending Against the Supply Chain Attack

Microsoft
Shai-Hulud 2.0: Guidance for Detecting, Investigating, and Defending Against the Supply Chain Attack

The Shai‑Hulud 2.0 campaign compromised hundreds of npm packages by adding a preinstall script that installed a Bun runtime to execute malicious code, create GitHub runners, and harvest credentials using tools like TruffleHog. Microsoft Defender detections and guidance emphasize defense-in-depth—scanning build artifacts, rotating exposed credentials, isolating CI/CD agents, and using telemetry correlation to contain propagation. #ShaiHulud2_0 #TruffleHog

Keypoints

  • Attackers injected a preinstall script (setup_bun.js) into multiple npm packages to run malicious code before tests or security checks.
  • The malicious Bun runtime executed bun_environment.js, which downloaded a GitHub Actions Runner archive, created repositories, and deployed a runner named SHA1HULUD.
  • TruffleHog and included runner tools were used to search systems and repositories for stored credentials and exfiltrate them to public attacker-controlled repositories.
  • Compromised maintainer accounts from widely used projects (e.g., Zapier, PostHog, Postman) were used to propagate malicious packages and automation.
  • Data destruction activity was observed (detected via shred on hidden files) as part of the campaign’s impact actions.
  • Traditional network defenses are insufficient for supply chain compromises; correlating telemetry across code, endpoint, container, and runtime layers improves detection and containment.
  • Mitigations include rotating/revoking credentials, isolating affected CI/CD agents, reducing pipeline permissions, and enabling repository-to-image mapping in Defender for Cloud.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Attackers modified public npm packages to execute malicious code during installation. Quote relevant content: (‘Malicious code executes during the preinstall phase of infected npm packages, allowing execution before tests or security checks.’)
  • [T1059 ] Command and Scripting Interpreter – Scripts and interpreters (node, bun, bash) were used to install runtimes, download artifacts, and run credential-gathering tools. Quote relevant content: (‘The Bun runtime executed the bundled malicious script bun_environment.js. This script downloaded and installed a GitHub Actions Runner archive.’)
  • [T1078 ] Valid Accounts – Threat actors compromised maintainer accounts to inject malicious packages and perform repository actions. Quote relevant content: (‘Attackers have compromised maintainer accounts from widely used projects (for example, Zapier, PostHog, Postman).’)
  • [T1485 ] Data Destruction – The campaign performed destructive actions detected via shred on hidden files. Quote relevant content: (‘Microsoft Defender for Containers promptly notified our customers when the campaign began through the alert Suspicious usage of the shred command on hidden files detected.’)
  • [T1537/T1567 ] Exfiltration Over Web Service / Transfer to Cloud Service – Stolen credentials were exfiltrated to public attacker-controlled repositories and remote repositories were used for data transfer. Quote relevant content: (‘Stolen credentials are exfiltrated to public attacker-controlled repositories, which could lead to further compromise.’)
  • [T1036 ] Masquerading – Attackers used fake personas (e.g., commits under the name “Linus Torvalds”) to impersonate legitimate authors and evade detection. Quote relevant content: (‘In some cases, commits to the newly created repositories were under the name “Linus Torvalds”… The use of fake personas highlights the importance of commit signature verification.’)
  • [T1005/T1083 ] Data from Local System / File and Directory Discovery – Tools like TruffleHog were used to search local files and repositories for stored secrets and credentials. Quote relevant content: (‘TruffleHog was used to query the system for stored credentials and retrieve stored cloud credentials.’)

Indicators of Compromise

  • [File name ] Malicious package scripts – setup_bun.js, bun_environment.js
  • [Domain / URL ] Installer and download locations referenced – bun.sh (https://bun.sh/install)
  • [Tool / Binary names ] Components and tools dropped or executed – TruffleHog, Runner.Listener (and other runner-related executables)
  • [Repository / Runner identifier ] GitHub runner and repository artifacts – “SHA1HULUD” runner name, commits authored as “Linus Torvalds”

Read more: https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/