Palo Alto Networks Unit 42 identified a novel, self-replicating npm supply chain worm called “Shai-Hulud” that has compromised over 180 packages by harvesting developer credentials and using stolen npm tokens to publish malicious updates. Unit 42 also assessed with moderate confidence that an LLM assisted in generating the malicious bash script, and the campaign exfiltrates secrets to actor-controlled endpoints and publishes them publicly to repositories named “Shai-Hulud”. #Shai-Hulud #@ctrl/tinycolor
Keypoints
- Shai-Hulud is a novel, self-replicating worm targeting the npm ecosystem and has compromised more than 180 packages.
- The campaign likely began with credential-harvesting phishing that spoofed npm to obtain developer tokens and MFA credentials.
- The malicious post-install script scans for .npmrc files, environment variables, GitHub PATs, cloud API keys (AWS, GCP, Azure) and exfiltrates them to an actor-controlled endpoint.
- Exfiltrated secrets are committed publicly in a new repository named “Shai-Hulud” under victims’ GitHub accounts, exposing credentials.
- Using stolen npm tokens, the worm programmatically injects malicious code into other packages maintained by compromised developers and publishes infected versions, enabling automated propagation.
- High-impact victims include widely used packages such as @ctrl/tinycolor, with potential downstream effects including cloud compromise, data theft, ransomware, cryptomining, and lateral movement via SSH keys.
- Unit 42 recommends immediate credential rotation, dependency auditing, GitHub account reviews (look for “Shai-Hulud”), and strict enforcement of MFA.
MITRE Techniques
- [T1531] Account Discovery – The malware scans for credentials and configuration files (‘.npmrc’, environment variables, GitHub PATs) to discover usable accounts and tokens; “…scans the compromised environment for sensitive credentials, including: .npmrc files (for npm tokens) … GitHub Personal Access Tokens (PATs)…”
- [T1056] Input Capture – The worm harvests secrets from files and environment variables (e.g., .npmrc, config files) to capture sensitive input; “…scans the compromised environment for sensitive credentials, including: .npmrc files (for npm tokens) Environment variables and configuration files…”
- [T1005] Data from Local System – The payload collects local files and secrets from the developer machine (e.g., .npmrc, SSH keys) for exfiltration; “…scans the compromised environment for sensitive credentials, including: .npmrc files … stolen SSH keys can enable lateral movement…”
- [T1041] Exfiltration Over Web Service – Harvested credentials are exfiltrated to an actor-controlled endpoint such as webhook.site; “…Harvested credentials are exfiltrated to an actor-controlled endpoint.” (example IOC: “hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7”)
- [T1496] Resource Hijacking – The campaign can lead to cryptomining and misuse of cloud resources after credential theft enabling cloud compromise (AWS, GCP, Azure); “…Credential theft from this campaign can lead directly to compromise of cloud services … ransomware deployment, cryptomining or deletion of production environments.”
- [T1609] Container and Resource Discovery (CI/CD) – The worm propagates through CI/CD by publishing malicious package updates to the npm registry using compromised maintainer tokens, exploiting continuous delivery workflows; “…Using the stolen npm token, the malware authenticates to the npm registry … injects malicious code … and publishes the new, compromised versions to the registry… propagating at the speed of Continuous Integration and Continuous Delivery (CI/CD)…”
- [T1585] Compromise Infrastructure – The malware programmatically creates public GitHub repositories named “Shai-Hulud” under victim accounts and commits stolen secrets, exposing infrastructure and evidence of compromise; “…creates a new public GitHub repository named ‘Shai-Hulud’ under the victim’s account and commits the stolen secrets to it…”
Indicators of Compromise
- [File Hash] Known malicious file hashes – 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09, b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 (and 2 more hashes)
- [Domain/URL] Exfiltration endpoints – hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 (used to receive stolen credentials)
- [File Name] Malicious workflow/YAML – “shai-hulud-workflow.yml” detected on macOS and Linux agent telemetry (used to establish persistence or CI modifications)
- [File Name] Malicious JavaScript bundle – “bundle.js” associated with SHA256 46faab8a…f09 (detected as malicious payload)
Read more: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/