Threat Management, Threat Intelligence, Ransomware, Malware

New Shai Hulud malware variant examined

A digital display shows the words "SYSTEM HACKED" in red against

Over 25,000 repositories and hundreds of npm packages have already been impacted by the new Shai Hulud malware campaign that automates developer environment compromise, SiliconANGLE reports.

Execution of the updated Shai Hulud malware triggers a two-stage infection chain beginning with the installation of the Bun JavaScript runtime followed by the deployment of an obfuscated payload enabling credential harvesting, data theft, and self-propagation, according to Expel researchers.

After scouring and pilfering cloud provider keys, GitHub authentication data, and npm publishing tokens, as well as source code, git history, and configuration file secrets, Shai Hulud targets cloud-native secret managers for additional secret extraction.

New public GitHub repositories are then created by Shai Hulud to store stolen credentials and system metadata, with the malware then using breached developer accounts to enable automated publication of updated packages to the registry. Researchers have warned of similar intrusions impacting PyPI, Composer, RubyGems, and other repositories.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds