Supply Chain Compromise: Shai-Hulud exploits npm echosystem

Cohesity REDLab has released updates to the threat library in response to the widespread supply chain compromise impacting npm ecosystem. Build system backups or host backups that run ‘npm install’ should be scanned closely. Users should closely monitor the ML-based anti-ransomware backup anomalies in Security Center. It is recommended to use the Threat Scan in tandem with anti-ransomware to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.

Overview

Shai-Hulud is a self-replicating worm observed in the npm ecosystem. It trojanize packages and automatically steals maintainer tokens and keys. It then uses those stolen credentials to re-publish malicious versions of other packages i.e. it propagates through the package registry itself.

Why Shai-Hulud is unique?

Worm-like automated propagation: After initial compromise the malware automatically finds other packages the victim can publish and pushes poisoned versions itself. By doing so it creates cascading compromises across maintainers. The automation of using stolen npm tokens to republish is what makes it unique. It harvests npm tokens, GitHub PATs and cloud keys (AWS/GCP/Azure) to expand the compromise.

CI/CD abuse and repository tampering: The persistence and broad exfiltration via CI is accomplishes by creating GitHub Actions workflows to exfiltrate and sometimes make private repos public.

Tooling and AI signals: Palo Alto Unit 42 has flagged evidence that an LLM likely helped author the malicious script in the worm.

Kill Chain Deep Dive

Initial access / Execution: Attacker publishes trojanized package versions that include a postinstall script which runs on npm install.

Payload actions on host/build: bundle.js executes, runs a scanner, reads .npmrc, env vars, cloud metadata endpoints, SSH keys and exfiltrates working tokens to actor endpoints (webhook.site + public GitHub repos named Shai-Hulud).

Credential abuse / Lateral movement: Using stolen npm/GitHub tokens the malware authenticates to npm and to GitHub as the developer. It finds packages the developer controls and programmatically modifies repackaged tarballs to inject bundle.js and publishes new malicious versions. This is the worm propagation step.

Persistence / C2 / Exfiltration: It may install GitHub Actions workflows (shai-hulud-workflow.yml) that run on pushes to exfiltrate data (via webhooks) and can make private repos public. The actor also publicly commits stolen secrets to a repo named Shai-Hulud, exposing them.

Final Remarks

It is recommended to scan build hosts or any other systems that run ‘npm install’ to check if compromised npm packages are installed. Cohesity’s Anti-Ransomware module deploys inline ML-based techniques to identify new and unknown threats in backup data. The Threat Detection feature lets you scan backup data for known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.

Cohesity Data Cloud

Data Cloud packaging

Certified platforms

Backup & Recovery

Cloud Data Protection

SaaS Data Protection

Unstructured Data Protection

Cyber Resilience

Zero Trust Security

Archive & Long-Term Retention

Disaster Recovery

Identity Resilience

Ransomware Anomaly Detection

Threat Protection

Data Classification

Cyber Vaulting

Cyber Recovery Orchestration

Digital Jump Bag

Clean Room Solution

AI Conversational Search

Reporting & IT Insights

Global Search

Why Cohesity

Cohesity vs. Rubrik

Cohesity vs. Commvault

View all solutions

Learn more

Microsoft 365 Protection

AWS

Azure

Google Cloud

Google Workspace

Slack

Active Directory & Entra ID

Hyper-V

Kubernetes

IBM

MongoDB

MS SQL Server

NAS

NoSQL & Hadoop

Nutanix

Oracle

Red Hat

SAP HANA

VMware

Financial services

Healthcare and life sciences

Manufacturing and logistics

Federal government

State, local government, and education

Retail and hospitality

Legal

Energy and utilities

Telecom

Technology

Media and Entertainment

View all

Corporate Overview

Blogs

Demos

Events and Webinars

Customer Stories

Glossary

Marketplace

Support

Support login

How-to videos

Cyber Event Response Team

Cohesity User Group

Cohesity Academy

Trust Center

Channel Partners

Global System Integrators

Security Partners

Cloud Alliances

Technology Partners

Managed Service Providers

Data Security Alliance

Leadership