Threat Research

The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs

DataDogHQ
The Shai-Hulud 2.0 npm worm: analysis, and what you need to know | Datadog Security Labs

Shai‑Hulud 2.0 is a self‑replicating npm worm that backdoored 796 unique npm packages (over 20 million weekly downloads) to install a Bun‑based obfuscated credentials stealer which exfiltrates secrets to public GitHub repositories. The worm propagates without a C2 by reading its own code to infect up to 100 packages per compromised npm account and leverages stolen GitHub and npm tokens plus self‑hosted runners and vulnerable GitHub Actions to execute remote code and persist; #Shai-Hulud-2.0 #asyncapi

Keypoints

  • Shai‑Hulud 2.0 backdoored 796 unique npm packages (1,092 package versions) responsible for over 20 million weekly downloads, with the last observed infected publish on 2025‑11‑24 at 18:00 UTC.
  • The primary payload is a Bun‑based obfuscated credentials stealer that harvests local and cloud credentials (AWS/Azure/GCP), uses stolen GitHub credentials to create public exfiltration repositories, and can install a self‑hosted GitHub runner for remote execution.
  • Propagation is autonomous and C2‑free: the worm reads its own code to write a second malicious file, adds setup_bun.js and bun_environment.js to packages, inserts a preinstall script, bumps patch versions and publishes up to 100 backdoored packages per compromised npm account.
  • Exfiltration is performed by creating public GitHub repositories with the fixed description “Sha1-Hulud: The Second Coming.”; Datadog observed over 500 unique GitHub users and 14,000+ repositories tied to this pattern, which is a lower bound.
  • The malware aggressively targets cloud credentials by reading known credential files, calling cloud instance metadata services, enumerating and retrieving secrets from AWS Secrets Manager, Azure Key Vault, and Google Secret Manager, and using tools like Trufflehog to find secrets.
  • If neither valid GitHub nor npm credentials are obtainable, the worm attempts destructive cleanup by shredding or deleting the user’s home directory to eliminate traces or cause damage.
  • Initial compromise likely started with a malicious commit affecting asyncapi/cli (the suspected “patient zero”) and may have exploited injection vulnerabilities in CI pipelines shortly before mass publication; mitigations by npm appear to have limited further spread after 2025‑11‑24.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Backdooring legitimate npm packages by adding malicious files and a preinstall script to propagate to downstream users (‘The worm infects a legitimate package by adding two malicious files and a preinstall script to it’)
  • [T1078 ] Valid Accounts – Theft and use of npm and GitHub tokens from disk to validate identity and publish backdoored packages or create exfiltration repositories (‘uses the user’s npm credentials from the local filesystem to self-propagate’ and ‘using the user’s GitHub credentials available on disk’)
  • [T1105 ] Ingress Tool Transfer – Downloading and executing third‑party binaries and runtimes (Bun, Trufflehog, actions-runner) to enable payload execution and secret discovery (‘Install the Bun JavaScript runtime, likely to evade standard Node.js monitoring, and use it to run an obfuscated payload’ and ‘Downloading and using Trufflehog to actively hunt for secrets’)
  • [T1027 ] Obfuscated Files or Information – Running an obfuscated payload via the Bun runtime to hide malicious behavior (‘use it to run an obfuscated payload’)
  • [T1552.001 ] Unsecured Credentials: Credentials in Files – Harvesting known credential files on disk such as .config/gcloud/application_default_credentials.json and .npmrc to steal tokens and keys (‘Harvesting known files with credentials on disk, such as .config/gcloud/application_default_credentials.json’)
  • [T1190 ] Exploit Public-Facing Application – Likely exploiting injection vulnerabilities in CI pipelines and a malicious commit/pull request to gain initial repository access (‘this initial repository might be vulnerable to a number of injection vulnerabilities in its CI pipelines, that were fixed a couple of hours preceding the publication of this post’)
  • [T1567 ] Exfiltration Over Web Service – Exfiltrating harvested credentials by creating public GitHub repositories with a distinctive description and files containing stolen secrets (‘exfiltrates harvested credentials to a public GitHub repository with a description set to Sha1-Hulud: The Second Coming.’)

Indicators of Compromise

  • [Domain ] initialization/use – bun.sh (legitimate domain used by the malware during initialization)
  • [File names ] created on compromised endpoints – setup_bun.js, bun_environment.js
  • [GitHub repository name pattern ] exfiltration repositories – repository names matching the regex [0-9a-z]{18} and repositories with description “Sha1-Hulud: The Second Coming.”
  • [Affected npm packages ] initial and exemplar compromised packages – asyncapi/cli, packages in the @asyncio scope, and 794 more packages (total 796 unique packages)
  • [Package versions / artifacts ] npm tarballs and publish activity – examples in the attack include GET /package-to-backdoor/-/package-to-backdoor-1.2.4.tgz and subsequent PUT / publish requests observed to registry.npmjs.org

Read more: https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/