The return of the Shai-Hulud supply chain attack was dubbed ‘The Second Coming’ shortly after the first warning about it on November 24. However, despite the Biblical wording, Shai-Hulud 2.0 can be defended against by fairly mortal means, as Microsoft explains.
The Shai-Hulud 2.0 campaign, previously described on Techzine, builds on earlier supply chain compromises. However, this variant introduces more automation, faster distribution, and a broader target. Malicious code runs during the pre-install phase of infected npm packages, causing execution to take place before tests or security checks. Attackers compromised maintainer accounts of widely used projects such as Zapier, PostHog, and Postman.
Stolen credentials are exfiltrated to public repositories controlled by attackers. This can lead to further compromises. Microsoft emphasizes that traditional network defenses are insufficient against attacks embedded in trusted package workflows. Compromised credentials enable attackers to escalate privileges and move laterally across cloud workloads.
Attack mechanism and detection
Multiple npm packages were compromised when threat actors added a preinstall script called set_bun.js to the package.json. The setup_bun.js script checked for an existing Bun runtime binary and installed it if absent. Bun can be used in the same way as Node.js.
The Bun runtime then executed the bundled malicious script bun_environment.js. This script downloaded and installed a GitHub Actions Runner archive and configured a new GitHub repository with a runner agent named SHA1Hulud. Additional files were extracted from the archive, including TruffleHog and Runner.Listener executables. TruffleHog was used to search the system for stored credentials and retrieve cloud credentials.
Microsoft Defender for Containers alerted customers immediately at the start of the campaign with the alert “Suspicious usage of the shred command on hidden files detected.” This alert identified the data destruction activity that was part of the campaign. Microsoft also introduced a specific alert to identify this campaign: “Sha1-Hulud Campaign Detected – Possible command injection to exfiltrate credentials.”
In some cases, commits to newly created repositories were made under the name “Linus Torvalds,” the creator of the Linux kernel and original author of Git. The use of false personas demonstrates the need for commit signature verification, a simple and reliable check to confirm who actually created a commit.
Broader context and impact
The consequences of Shai-Hulud 2.0 soon proved to be greater than initially thought. Research shows that large amounts of data were stolen and made public via tens of thousands of GitHub repositories. Approximately 400,000 raw secrets were stolen, ranging from access tokens to configuration data from CI and development environments.
The NPM ecosystem had already been hit by an initial Shai-Hulud attack. The new variant generates random repository names and contains a destructive function that, under certain circumstances, deletes a victim’s entire home directory. This type of malware is evolving from mere data theft to functionality that can cause direct damage within development environments.
According to security researchers, the attack affects the entire development chain, from local machines to automated CI environments. A large number of the affected systems consisted of Linux containers that were part of automation processes. Many infections were found to be related to GitHub Actions, followed by other CI platforms such as Jenkins, GitLab CI, and AWS CodeBuild.
Protection and mitigation
Microsoft Defender recommends that organizations review Key Vault assets on the critical asset management page and examine relevant logs for unauthorized access. Exposed credentials must be reset and revoked quickly. Affected CI/CD agents or workspaces should be isolated.
Organizations should prioritize high-risk attack paths to reduce further exposure. It is essential to remove unnecessary roles and permissions assigned to identities for CI/CD pipelines, specifically access to key vaults.
For npm maintainers, Microsoft recommends using npm trusted publishing instead of tokens. Publishing settings on accounts, organizations, and packages should be strengthened to require two-factor authentication (2FA) for all write and publish actions. When configuring 2FA, WebAuthn is preferred over a time-based, one-time password (TOTP).
Microsoft also recommends enabling cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use AI and ML to quickly identify and stop new and unknown threats. Attack surface reduction rules should be enabled, particularly for blocking executable files unless they meet prevalence, age, or trusted list criteria.
Defender for Cloud customers at Microsoft can use Cloud Security Explorer to uncover potentially compromised software packages. The Security Explorer templates library has been expanded with two additional queries that retrieve all container images with compromised software packages and identify all running containers with these images.