Threat Research

Threat Intelligence News from LevelBlue SpiderLabs December 2025

LevelBlue-spiderlabs
Threat Intelligence News from LevelBlue SpiderLabs December 2025

The LevelBlue SpiderLabs report details a major supply-chain resurgence by the Shai-Hulud worm that trojanized hundreds of npm packages and exfiltrated thousands of developer secrets, while law enforcement dismantled the Rhadamanthys infostealer infrastructure during Operation Endgame. The update also highlights ClearFake’s rapid expansion across compromised websites, new USM Anywhere and NIDS detections, tracker additions/updates, and ongoing threat intelligence sharing via the LevelBlue OTX. #ShaiHulud #Rhadamanthys

Keypoints

  • Shai-Hulud 2.0 is a self-propagating worm that has trojanized over 700 npm packages by injecting malicious preinstall scripts, expanding the impact far beyond the initial September 2025 campaign.
  • The malicious preinstall scripts enabled early access to developer environments and CI/CD pipelines, resulting in large-scale credential theft (GitHub tokens, npm credentials, multi-cloud API keys) exfiltrated to attacker-controlled GitHub repositories.
  • The worm’s self-replication has republished malicious package versions, injected rogue GitHub workflows for remote command execution, and contributed to over 25,000 compromised repositories and thousands of exposed secrets.
  • Operation Endgame saw Europol, Eurojust, and partners seize 1,025 servers and 20 domains used by the Rhadamanthys infostealer, disrupting infrastructure that supported hundreds of thousands of infected systems and millions of stolen credentials.
  • LevelBlue SpiderLabs created new Adversary Trackers (ClearFake, ValleyRAT, SystemBC, PureLogs, TinyLoader) and updated others (StealC, Tycoon2FA, XWorm); ClearFake accounted for nearly three-quarters of the tracker IOCs in November.
  • USM Anywhere and NIDS detections were expanded/updated (18 USM Anywhere detections and 5 NIDS updates), including detections for 1Password anomalies, LocalAccountTokenFilterPolicy registry modification, and protocols/actors like Gh0stKCP and Danabot.
  • LevelBlue OTX continues as a large community-driven intelligence exchange (330,000 researchers), with SpiderLabs publishing 99 new pulses in November to share IoCs and research findings.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Attackers trojanized legitimate packages and supply-chain artifacts to distribute malicious code and propagate the worm (‘trojanized hundreds of popular packages…injecting malicious preinstall scripts that execute before installation completes.’)
  • [T1059 ] Command and Scripting Interpreter – Malicious preinstall scripts were executed on developer machines and CI environments to run attacker-controlled code (‘injecting malicious preinstall scripts that execute before installation completes.’)
  • [T1567 ] Exfiltration Over Web Service – Stolen secrets were sent to attacker-controlled GitHub repositories used as exfiltration endpoints (‘Stolen secrets… were exfiltrated to attacker-controlled GitHub repositories labeled “Shai-Hulud: The Second Coming.”’)
  • [T1078 ] Valid Accounts – Compromised tokens and credentials were leveraged to access developer environments and CI/CD pipelines, enabling broader access and propagation (‘allowed early access to developer environments and CI/CD pipelines, enabling credential theft at scale.’)
  • [T1112 ] Modify Registry – Adversaries modified registry settings to gain elevated or privileged access on Windows hosts (‘modification of the registry key LocalAccountTokenFilterPolicy to gain privileged access.’)
  • [T1574 ] Hijack Execution Flow – Attackers republished malicious package versions and injected rogue GitHub workflows to achieve remote command execution within CI/CD contexts (‘republishing malicious versions and injecting rogue GitHub workflows for remote command execution.’)
  • [T1189 ] Drive-by Compromise – ClearFake was deployed on compromised websites to deliver deceptive browser-update prompts and fake verification pages, tricking users into execution (‘deployed on compromised websites…to deliver deceptive browser-update prompts and fake verification pages, such as FakeCAPTCHA.’)

Indicators of Compromise

  • [Repository ] attacker-controlled GitHub repo name used for exfiltration – ‘Shai-Hulud: The Second Coming’ (attacker-controlled repository used to collect stolen secrets)
  • [Domain ] infrastructure associated with Rhadamanthys – 20 domains were seized during Operation Endgame (specific domain names not listed in article)
  • [Server/IP ] C2 and hosting infrastructure – 1,025 servers seized in the Rhadamanthys takedown (specific IPs not provided)
  • [Credentials/Secrets ] stolen credentials and API keys – GitHub tokens, npm credentials, multi-cloud API keys (exfiltrated from developer and CI environments)
  • [Package names ] trojanized npm packages and affected vendors – packages from Zapier, PostHog, Postman, ENS Domains, AsyncAPI (hundreds of popular packages were trojanized)
  • [Malware/Actor names ] tracked malicious families and actors observed – Shai-Hulud, Rhadamanthys, ClearFake, Danabot (used as identifiers in detections and trackers)

Read more: https://levelblue.com/blogs/spiderlabs-blog/threat-intelligence-news-from-levelblue-spiderlabs/