In September 2025 a supply-chain attack on npm introduced an infostealer named Shai-Hulud into 500+ packages, using post-install scripts to harvest credentials, run TruffleHog, exfiltrate secrets to a webhook, and self-propagate by publishing infected package versions when it obtained publishing tokens. The incident highlighted CI/CD pipelines and stolen long-term tokens as primary vectors and showed how eBPF-based runtime sensors and execution-context detection (e.g., Datadog Workload Protection) can detect such behaviors at install time. #Shai-Hulud #TruffleHog
Keypoints
- Shai-Hulud is an infostealer with worm-like propagation that compromised 500+ npm packages by leveraging post-install scripts to execute malicious payloads upon package installation.
- Initial access in part traced to a prior compromise of s1ngularity/nx via a pwn request that resulted in GitHub and npm token exfiltration, enabling broad downstream impact.
- The payload uses TruffleHog to scan for API keys, hardcoded secrets, and cloud credentials, validates discovered credentials, exfiltrates data to a hardcoded webhook, and attempts to publish infected package versions to propagate.
- CI/CD pipelines and self-hosted runners are high-value targets because they hold secrets and publishing capabilities; stolen long-term tokens were a key enabler in this campaign.
- Traditional static scanning and blocklists are insufficient against novel or obfuscated threats and can produce false positives/negatives; publishing protections like npm trusted publishing (OIDC) reduce reliance on long-term secrets.
- Runtime detection using eBPF-based sensors and execution contexts (e.g., Datadog Workload Protection with SECL rules) can group related events from an npm install into a coherent compromise story, improving detection of post-install payloads.
- Example detection logic sets a package_install correlation_key on node/npm install executions and aggregates tactics server-side to trigger alerts when multiple tactics (credential access, discovery, exfiltration, etc.) appear under the same context.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Shai-Hulud uses npm post-install scripts to execute its payload immediately upon package installation: ‘uses the post-install script feature of the package.json file… executed immediately upon the package’s installation.’
- [T1213] Data from Information Repositories – The malware scans the host for credentials and secrets using TruffleHog: ‘downloads and executes a legitimate open source tool, TruffleHog, and uses it to scan the host system for API keys, hardcoded secrets, and cloud credentials.’
- [T1005] Data from Local System – Harvested sensitive data from the local host is collected and prepared for exfiltration prior to transmission: ‘Once the malware discovers credentials, it validates their legitimacy and uses them to establish persistence and spread.’
- [T1041] Exfiltration Over Web Service – Exfiltration of harvested data is performed by sending data to a hardcoded webhook endpoint: ‘transmitting all harvested sensitive data to a hardcoded webhook endpoint.’
- [T1091] Replication Through Removable Media / [T1490] Indirect Abuse of Trusted Relationship (represented as Software Supply Chain propagation) – Worm-like propagation by using discovered npm/GitHub publishing credentials to publish infected package versions, thereby infecting downstream consumers: ‘it immediately uses them to create and publish a new version of a package… to propagate the infection.’
- [T1537] Transfer Device (CI/CD misuse) – Abuse of CI/CD systems and long-lived tokens to gain publish permissions and propagate the compromise: ‘stolen long-term tokens enabled wide compromise in the Shai-Hulud campaign’ and ‘CI/CD pipelines remain an overlooked target for credential theft and propagation.’
Indicators of Compromise
- [File Name] malicious package post-install scripts – infected packages contained a post-install script that executed the payload (example context: npm package post-install entry point).
- [Tool Name] credential-scanning tool used by malware – TruffleHog was downloaded and executed by the payload to discover secrets.
- [Network Endpoint] webhook exfiltration endpoint – data exfiltrated to a hardcoded webhook (example: hardcoded webhook URL mentioned as the final exfiltration destination; exact URL omitted), and other endpoints used for GitHub API access.
- [Artifact] stolen tokens/credentials – GitHub and npm tokens were exfiltrated in the initial compromise of s1ngularity/nx (example context: stolen long-term tokens enabled package publishing), and additional publishing credentials used to publish infected versions.
Read more: https://securitylabs.datadoghq.com/articles/supply-chain-attacks-runtime-security-detection/