{"description": "Enterprise techniques used by Shai-Hulud, ATT&CK software S9008 (v1.0)", "name": "Shai-Hulud (S9008)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.003", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has attempted to gain root access by leveraging `sudo` and `/etc/sudoers.d`.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has modified GitHub account settings for private repositories and changed them to public.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Microsoft Shai-Hulud December 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has utilized curl to install Bun over HTTPS.(Citation: Microsoft Shai-Hulud December 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has the ability to automatically collect host data, secrets, system information, and endpoints.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Microsoft Shai-Hulud December 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has utilized PowerShell `Invoke-WebRequest` to download and install the malicious payload.(Citation: Microsoft Shai-Hulud December 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has utilized Linux shell commands to modify configuration files.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has used JavaScript to create JSON file output and run scripts using node.js.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has stopped `systemd-resolved` in order to manipulate DNS and firewalls.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.006", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has gathered secrets from AWS Secrets and GCP Secret Manager.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also gathered data from Azure Key Vault.(Citation: Netskope Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has destroyed the victim\u2019s home directory by overwriting and deleting every writable file within the user's home folder.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also utilized the `shred` command on Linux devices.(Citation: Microsoft Shai-Hulud December 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1213", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has downloaded existing packages from code repositories and extracted data stored within them.(Citation: Aikido Shai-Hulud September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1678", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has delayed execution of its larger payloads by forking itself into background process.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has replaced DNS configuration from `/tmp/resolved.conf` in order to gain control of network-level control within CI environments and has flushed iptables rules using `sudo iptables -F OUTPUT` and `sudo iptables -F DOCKER-USER`.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.016", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has inserted a new lifecycle hook to include `postinstall`.(Citation: Aikido Shai-Hulud September 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also leveraged the NPM lifecycle hook `preinstall`.(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has used POST to exfiltrate secrets from the victim environment to an attacker-controlled URL.(Citation: Aikido Shai-Hulud September 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has created a repository named `Shai-Hulud` under the compromised account that commits a JSON dump that contains system information, environment variables and collected secrets.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also posted stolen credentials to public GitHub repositories.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567.004", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has exfiltrated repository secrets to `webhook[.]site`.(Citation: Wiz Shai-Hulud September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.011", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has suppressed NPM warnings by silently exiting through the use of the NPM success code that has a setting that all errors exit with `code 0`.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has downloaded packages from code repositories.(Citation: Aikido Shai-Hulud September 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also downloaded and executed the secrets-discovery tool [TruffleHog](https://attack.mitre.org/software/S9009) to gather sensitive data.(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has masqueraded as a legitimate Bun installer.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.009", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has augmented its installation process by having its original install process exit cleanly to provide the user with the illusion that the service is installed normally.(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has utilized double-base64 encoding to store stolen secrets within the Github Action Logs within the victim account.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also leveraged three layers of base64 encoding of exfiltrated data for anti-forensic purposes.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1677", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has also leveraged GitHub actions from stolen accounts in order to create a malicious Github workflow within `.github/workflows/discussion.yaml`.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1593", "showSubtechniques": true}, {"techniqueID": "T1593.003", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has the ability to search open sites and code repositories for compromised credentials.(Citation: Aikido Shai-Hulud September 2025)(Citation: Microsoft Shai-Hulud December 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has discovered packages associated with compromised accounts.(Citation: Netskope Shai-Hulud November 2025)  [Shai-Hulud](https://attack.mitre.org/software/S9008) has also searched code repositories for other compromised repositories that include predefined parameters or markers to include \u201cSecond Coming\u201d combined with an 18-character alphanumeric string.(Citation: Netskope Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has published malicious gzip-compressed tarball (.tgz) following modification of packages within compromised accounts.(Citation: Aikido Shai-Hulud September 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also modified packages within compromised accounts.(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1528", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has stolen access tokens and API tokens from with CI/CD pipeline solutions and repositories.(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has suppressed victim NPM warnings using `process[\u201cexit\u2019](0x0);` which results in having all errors exit with code 0.(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has published itself on compromised code repository maintainers within infected packages in attempts to propagate to other victims.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Microsoft Shai-Hulud December 2025)(Citation: Socket Shai-Hulud November 2025)  [Shai-Hulud](https://attack.mitre.org/software/S9008) has also modified versions of code packages.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has gathered victim system information.(Citation: Aikido Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has gathered sensitive data stored in the Node.JS file `process.env` to include credentials and API keys.(Citation: Aikido Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has harvested credentials stored in config files and credential files in victim environments to include `~/.aws/credentials`, `application_default_credentials.json`, and `azureProfile.json`.(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)  [Shai-Hulud](https://attack.mitre.org/software/S9008) has also targeted credentials and tokens stored in NPM files `.npmrc` and GitHub config files.(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.005", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has queried the AWS and GCP metadata endpoints for instances and service credentials.(Citation: Aikido Shai-Hulud September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.001", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has leveraged captured valid NPM tokens to enumerate and update packages on compromised accounts.(Citation: Aikido Shai-Hulud September 2025)(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025) [Shai-Hulud](https://attack.mitre.org/software/S9008) has also utilized stolen GitHub access tokens to access compromised accounts.(Citation: Socket Shai-Hulud November 2025)(Citation: Socket Shai-Hulud Trufflehog September 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[Shai-Hulud](https://attack.mitre.org/software/S9008) has leveraged compromised accounts to log into cloud services to access cloud hosted repositories.(Citation: Aikido Shai-Hulud September 2025)(Citation: Netskope Shai-Hulud November 2025)(Citation: Palo Alto Unit 42 Shai-Hulud November 2025)(Citation: Wiz Shai-Hulud September 2025)(Citation: Microsoft Shai-Hulud December 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Shai-Hulud", "color": "#66b1ff"}]}