Shai-Hulud Goes Open Source | Datadog Security Labs

MITRE Techniques

• [T1195.002 ] Compromise Software Supply Chain – Poisoned npm packages and GitHub repository branches were used for propagation and compromise (‘npm package poisoning, GitHub repo branch poisoning’).
• [T1195.001 ] Compromise Software Dependencies – OIDC-based npm publishing and forged provenance were used to alter trusted dependencies (‘OIDC-based npm publishing with forged provenance’).
• [T1199 ] Trusted Relationship – GitHub Actions OIDC tokens were abused to obtain trusted publishing access (‘GitHub Actions OIDC token abuse for npm publish’).
• [T1059.004 ] Unix Shell – Bash scripts handled bootstrapping and destructive monitoring logic (‘BASH_LOADER.sh, DEADMAN_SWITCH.sh’).
• [T1059.006 ] Python – Python was used for the loader and for memory-reading secret extraction (‘PYTHON_LOADER.py, python_util.py (memory reader)’).
• [T1059.007 ] JavaScript – TypeScript/Bun JavaScript payloads implemented the framework and loaders (‘config.mjs, compiled payloads, entire TypeScript framework’).
• [T1204.002 ] User Execution: Malicious File – Malicious VSCode and Claude Code hooks triggered execution when a repo was opened or a session started (‘runOn: “folderOpen”, Claude Code SessionStart hook’).
• [T1543.001 ] Launch Agent – A macOS LaunchAgent provided persistence for the token-monitoring daemon (‘com.user.gh-token-monitor persistence’).
• [T1543.002 ] Systemd Service – A Linux systemd user service maintained persistence on Linux hosts (‘gh-token-monitor.service persistence’).
• [T1552.001 ] Credentials in Files – Over 100 sensitive file paths were scanned for secrets across Linux, macOS, and Windows-style locations (‘100+ file paths scanned across 3 OS families’).
• [T1552.005 ] Cloud Instance Metadata Service – Cloud credentials were collected from AWS IMDSv2 and ECS metadata (‘AWS IMDSv2, ECS container metadata’).
• [T1552.007 ] Container API – Kubernetes service account tokens and secrets were pulled from in-cluster APIs (‘Kubernetes service account tokens, secrets API’).
• [T1003 ] OS Credential Dumping – Process memory was read from /proc//mem to extract secrets from Runner.Worker (‘reading of Runner.Worker’).
• [T1528 ] Steal Application Access Token – GitHub CLI tokens, GitHub PATs, npm tokens, and Vault tokens were harvested (‘gh auth token, GitHub PATs, npm tokens, Vault tokens’).
• [T1560.001 ] Archive via Utility – Collected data was gzip-compressed before encryption and exfiltration (‘gzip compression before encryption’).
• [T1041 ] Exfiltration Over C2 Channel – Encrypted data was sent via HTTPS POST to the primary C2 domain (‘HTTPS POST to git-tanstack[.]com’).
• [T1567.001 ] Exfiltration to Code Repository – Encrypted payloads were committed to GitHub repositories as dead-drops (‘Encrypted commits to GitHub repos’).
• [T1573.002 ] Asymmetric Cryptography – AES-256-GCM was combined with RSA-4096 for hybrid encryption and key wrapping (‘RSA-4096 + AES-256-GCM hybrid encryption’).
• [T1102 ] Web Service – GitHub commit search was used as a signed dead-drop mechanism for fallback C2 resolution (‘GitHub commit search as signed C2 dead-drop’).
• [T1485 ] Data Destruction – A deadman-switch handler could delete the victim’s home directory (‘rm -rf ~/ deadman switch’).
• [T1588.004 ] Digital Certificates – Fulcio certificates and Rekor entries were abused to create forged provenance for poisoned packages (‘Fulcio certificate abuse for provenance forgery’).