Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
Shai-Hulud has attempted to gain root access by leveraging |
| Enterprise | T1098 | Account Manipulation |
Shai-Hulud has modified GitHub account settings for private repositories and changed them to public.[5][6][7][2] |
|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Shai-Hulud has utilized curl to install Bun over HTTPS.[2] |
| Enterprise | T1119 | Automated Collection |
Shai-Hulud has the ability to automatically collect host data, secrets, system information, and endpoints.[5][6][2] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Shai-Hulud has utilized PowerShell |
| .004 | Command and Scripting Interpreter: Unix Shell |
Shai-Hulud has utilized Linux shell commands to modify configuration files.[3] |
||
| .007 | Command and Scripting Interpreter: JavaScript |
Shai-Hulud has used JavaScript to create JSON file output and run scripts using node.js.[5][6][1][7][2][3][4] |
||
| Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
Shai-Hulud has stopped |
| Enterprise | T1555 | .006 | Credentials from Password Stores: Cloud Secrets Management Stores |
Shai-Hulud has gathered secrets from AWS Secrets and GCP Secret Manager.[5][6][3] Shai-Hulud has also gathered data from Azure Key Vault.[6][3] |
| Enterprise | T1485 | Data Destruction |
Shai-Hulud has destroyed the victim’s home directory by overwriting and deleting every writable file within the user's home folder.[1][3] Shai-Hulud has also utilized the |
|
| Enterprise | T1213 | .003 | Data from Information Repositories: Code Repositories |
Shai-Hulud has downloaded existing packages from code repositories and extracted data stored within them.[5] |
| Enterprise | T1678 | Delay Execution |
Shai-Hulud has delayed execution of its larger payloads by forking itself into background process.[1] |
|
| Enterprise | T1685 | Disable or Modify Tools |
Shai-Hulud has replaced DNS configuration from |
|
| Enterprise | T1546 | .016 | Event Triggered Execution: Installer Packages |
Shai-Hulud has inserted a new lifecycle hook to include |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Shai-Hulud has used POST to exfiltrate secrets from the victim environment to an attacker-controlled URL.[5][1][7] |
|
| Enterprise | T1567 | .001 | Exfiltration Over Web Service: Exfiltration to Code Repository |
Shai-Hulud has created a repository named |
| .004 | Exfiltration Over Web Service: Exfiltration Over Webhook |
Shai-Hulud has exfiltrated repository secrets to |
||
| Enterprise | T1564 | .011 | Hide Artifacts: Ignore Process Interrupts |
Shai-Hulud has suppressed NPM warnings by silently exiting through the use of the NPM success code that has a setting that all errors exit with |
| Enterprise | T1105 | Ingress Tool Transfer |
Shai-Hulud has downloaded packages from code repositories.[5][7][3][4] Shai-Hulud has also downloaded and executed the secrets-discovery tool TruffleHog to gather sensitive data.[6][7][2][3][4] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Shai-Hulud has masqueraded as a legitimate Bun installer.[1][3] |
| .009 | Masquerading: Break Process Trees |
Shai-Hulud has augmented its installation process by having its original install process exit cleanly to provide the user with the illusion that the service is installed normally.[1][3] |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Shai-Hulud has utilized double-base64 encoding to store stolen secrets within the Github Action Logs within the victim account.[5][6][7][4] Shai-Hulud has also leveraged three layers of base64 encoding of exfiltrated data for anti-forensic purposes.[3] |
|
| Enterprise | T1677 | Poisoned Pipeline Execution |
Shai-Hulud has also leveraged GitHub actions from stolen accounts in order to create a malicious Github workflow within |
|
| Enterprise | T1593 | .003 | Search Open Websites/Domains: Code Repositories |
Shai-Hulud has the ability to search open sites and code repositories for compromised credentials.[5][2] Shai-Hulud has discovered packages associated with compromised accounts.[6] Shai-Hulud has also searched code repositories for other compromised repositories that include predefined parameters or markers to include "Second Coming" combined with an 18-character alphanumeric string.[6] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Shai-Hulud has published malicious gzip-compressed tarball (.tgz) following modification of packages within compromised accounts.[5][4] Shai-Hulud has also modified packages within compromised accounts.[6][7] |
| Enterprise | T1528 | Steal Application Access Token |
Shai-Hulud has stolen access tokens and API tokens from with CI/CD pipeline solutions and repositories.[6][1][7][3] |
|
| Enterprise | T1553 | Subvert Trust Controls |
Shai-Hulud has suppressed victim NPM warnings using |
|
| Enterprise | T1195 | .001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
Shai-Hulud has published itself on compromised code repository maintainers within infected packages in attempts to propagate to other victims.[5][6][7][2][3] Shai-Hulud has also modified versions of code packages.[5][6][7][3] |
| Enterprise | T1082 | System Information Discovery |
Shai-Hulud has gathered victim system information.[5][3] |
|
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Shai-Hulud has gathered sensitive data stored in the Node.JS file |
| .005 | Unsecured Credentials: Cloud Instance Metadata API |
Shai-Hulud has queried the AWS and GCP metadata endpoints for instances and service credentials.[5] |
||
| Enterprise | T1550 | .001 | Use Alternate Authentication Material: Application Access Token |
Shai-Hulud has leveraged captured valid NPM tokens to enumerate and update packages on compromised accounts.[5][3][4] Shai-Hulud has also utilized stolen GitHub access tokens to access compromised accounts.[3][4] |
| Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
Shai-Hulud has leveraged compromised accounts to log into cloud services to access cloud hosted repositories.[5][6][1][7][2] |
References
- Justin Moore. (2025, November 25). "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26). Retrieved April 9, 2026.
- Microsoft Defender Security Team. (n.d.). Shai-Hulud 2.0: Guidance for detecting, investigating, and defending against the supply chain attack. Retrieved April 9, 2026.
- Socket Research Team. (2025, November 24). Shai Hulud Strikes Again (v2). Retrieved April 9, 2026.
- Socket Research Team. (2025, September 15). Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages. Retrieved April 9, 2026.
- Charlie Eriksen. (2025, September 16). S1ngularity/nx attackers strike again. Retrieved April 9, 2026.
- Gianpietro Cutolo. (2025, November 26). Shai-Hulud 2.0: Aggressive, Automated, and Fast Spreading. Retrieved April 9, 2026.
- Merav Bar, Rami McCarthy, Barak Sharoni. (2025, September 16). Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware. Retrieved April 9, 2026.