Executive Summary

The Shai-hulud supply chain attack, first identified in late 2025, has emerged as one of the most consequential and technically sophisticated threats to the global software ecosystem. This campaign, targeting the npm package registry and its vast network of open-source maintainers, has demonstrated the devastating potential of automated, cloud-native supply chain attacks. By compromising trusted developer accounts and injecting malicious code into widely used packages, the attackers were able to propagate credential-stealing malware at scale, impacting developer environments, CI/CD pipelines, and cloud-connected workloads across multiple sectors and geographies. The true cost of Shai-hulud extends far beyond immediate remediation, exposing organizations to persistent credential theft, lateral movement, and the erosion of trust in the open-source software supply chain.

Technical Information

The Shai-hulud campaign is a multi-stage, highly automated supply chain attack that leverages the interconnectedness of the modern software development lifecycle. The attackers' primary objective was to harvest sensitive credentials and configuration secrets from as many targets as possible, using a combination of malicious npm package updates, credential harvesting tools, and cloud-based exfiltration infrastructure.

Attack Chain and Tactics

The initial vector involved the compromise of maintainer accounts for popular npm packages, including but not limited to Zapier, PostHog, Postman, ENS Domains, and AsyncAPI. Once access was obtained, the attackers injected a malicious preinstall script, typically named setup_bun.js, into the package.json file of the affected packages. This script was designed to execute automatically during the installation process, ensuring early and stealthy execution on developer machines and CI/CD runners.

The setup_bun.js script checked for the presence of the Bun JavaScript runtime and installed it if absent. The use of Bun—a relatively new and less scrutinized runtime—helped the attackers evade traditional detection mechanisms that focus on Node.js or Python environments. Once Bun was present, it executed a secondary payload, bun_environment.js, which orchestrated the core malicious activities.

The bun_environment.js script performed several advanced operations. It downloaded and installed a GitHub Actions Runner archive, configured a new repository, and registered a runner agent named SHA1Hulud. The script then extracted and executed additional binaries, including TruffleHog (a tool for scanning repositories and file systems for secrets) and Runner.Listener. Using TruffleHog, the malware systematically searched for and extracted stored credentials, API keys, and cloud secrets from the infected environment.

Exfiltration was achieved by uploading the harvested secrets to attacker-controlled GitHub repositories, each labeled with the phrase "Sha1-Hulud: The Second Coming." Over 26,000 such repositories were created during the campaign, providing a scalable and resilient exfiltration channel. In cases where the malware could not authenticate with GitHub or npm, it executed a destructive routine, wiping all files in the user's home directory using the shred command—a clear attempt to hinder forensic analysis and recovery.

The attackers also employed sophisticated evasion and impersonation techniques. Some malicious commits were made under the name "Linus Torvalds," leveraging the trust associated with prominent open-source figures to avoid suspicion. The worm-like nature of the attack allowed it to propagate rapidly, infecting both direct dependencies and packages further down the dependency chain.

Exploitation in the Wild

The Shai-hulud attack spread with unprecedented speed and reach. According to public reports, nearly 500 npm packages were compromised, collectively accounting for over 132 million monthly downloads. Major organizations and projects—including Zapier, ENS Domains, AsyncAPI, PostHog, and Postman—were directly impacted, as were countless downstream consumers.

Detection of the attack was challenging due to the use of legitimate package update mechanisms and the novel use of the Bun runtime. However, security solutions such as Microsoft Defender for Containers began issuing alerts for suspicious activities, including "Suspicious usage of the shred command on hidden files detected" and "Sha1-Hulud Campaign Detected – Possible command injection to exfiltrate credentials." The campaign's automation and use of public cloud infrastructure for exfiltration further complicated detection and response efforts.

Indicators of Compromise (IOCs)

Key indicators associated with the Shai-hulud campaign include the presence of setup_bun.js and bun_environment.js files, the registration of GitHub Actions Runners named SHA1Hulud, and the creation of GitHub repositories with the description "Sha1-Hulud: The Second Coming." Organizations should also look for anomalous process executions involving Bun, TruffleHog, and Runner.Listener, as well as unexpected file deletions in user home directories.

MITRE ATT&CK Mapping

The tactics, techniques, and procedures (TTPs) observed in the Shai-hulud campaign map to several MITRE ATT&CK techniques, including:

T1195: Supply Chain CompromiseT1059: Command and Scripting Interpreter (Node.js, Bash)T1552: Unsecured CredentialsT1078: Valid Accounts (compromised maintainer accounts)T1566: Phishing (potential for initial access)T1485: Data Destruction

Affected Vendors, Products, and Tools

The primary impact was on the npm ecosystem, with hundreds of packages compromised. Notable affected vendors and projects include Zapier, PostHog, Postman, ENS Domains, and AsyncAPI. The attack also leveraged and targeted cloud providers such as Azure and GitHub, particularly environments with CI/CD integrations.

A partial list of affected packages and versions is available in the public domain, with the most comprehensive and up-to-date list maintained by JFrog at JFrog: Shai-Hulud npm supply chain attack – new compromised packages detected.

Detection and Hunting

Organizations can leverage advanced threat hunting queries to identify potential compromise. For example, in Microsoft Defender XDR, the following KQL queries can be used:

To detect malicious JavaScript execution: DeviceProcessEvents | where FileName has "node" and ProcessCommandLine has_any ("setup_bun.js", "bun_environment.js") To identify suspicious process launches involving Bun: DeviceProcessEvents | where InitiatingProcessFileName in~ ("node", "node.exe") and InitiatingProcessCommandLine endswith ".js" | where (FileName in~ ("bun", "bun.exe") and ProcessCommandLine has ".js") To monitor for GitHub exfiltration activity: DeviceProcessEvents | where FileName has_any ("bash","Runner.Listener","cmd.exe") | where ProcessCommandLine has 'SHA1HULUD'

Mitigation and Remediation

Immediate actions should include auditing all npm dependencies and versions, especially those related to the high-profile compromised packages. All credentials and secrets used during the installation of affected packages must be rotated, and any anomalous GitHub repositories with the description "Sha1-Hulud: The Second Coming" should be investigated and reported.

Organizations should disable npm postinstall scripts in CI environments where possible, pin package versions, and enforce multi-factor authentication (preferably WebAuthn) for all GitHub and npm accounts. Tools such as Safe-Chain can be used to block known malicious packages.

Long-term strategies must focus on integrating agentless code scanning, software bill of materials (SBOM) analysis, and continuous monitoring for suspicious commit authors and package updates. Commit signature verification and the use of trusted publishing mechanisms are essential to restoring and maintaining trust in the open-source supply chain.

The Hidden Cost

The true cost of the Shai-hulud attack is not limited to the immediate operational disruption or the direct theft of credentials. The campaign has eroded trust in the open-source ecosystem, increased the burden of due diligence for every software consumer, and forced organizations to reevaluate their approach to third-party risk management. The automation, scale, and sophistication of the attack serve as a stark warning: supply chain security is now a first-order concern for every organization that relies on open-source software.

References

• Microsoft Security Blog: Shai-Hulud 2.0 Guidance (December 9, 2025)

• Aikido Security: Shai-Hulud Strikes Again (December 2025)

• Software Improvement Group: Shai-Hulud npm Supply Chain Attack (December 2025)

• CyberArk: Lessons from the Shai-Hulud npm attack (December 2025)

• Harness: Defend Against Shai-Hulud 2.0 Supply Chain Attack (December 2025)

• JFrog: Shai-Hulud npm supply chain attack – new compromised packages detected (December 2025)

• AsyncAPI CLI bun_environment.js POC (December 2025)

• MITRE ATT&CK T1195

Rescana is here for you

At Rescana, we understand that the complexity and interconnectedness of today’s software supply chains demand a new level of vigilance and automation. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate risks across their entire digital ecosystem. By leveraging advanced analytics, real-time threat intelligence, and automated workflows, Rescana helps you stay ahead of emerging threats and maintain the trust and resilience your business depends on.

We are happy to answer any questions or provide further guidance at ops@rescana.com.