Over 25,000 repositories and hundreds of npm packages have already been impacted by the new Shai Hulud malware campaign that automates developer environment compromise, SiliconANGLE reports.
Execution of the updated Shai Hulud malware triggers a two-stage infection chain beginning with the installation of the Bun JavaScript runtime followed by the deployment of an obfuscated payload enabling credential harvesting, data theft, and self-propagation, according to Expel researchers.
After scouring and pilfering cloud provider keys, GitHub authentication data, and npm publishing tokens, as well as source code, git history, and configuration file secrets, Shai Hulud targets cloud-native secret managers for additional secret extraction.
New public GitHub repositories are then created by Shai Hulud to store stolen credentials and system metadata, with the malware then using breached developer accounts to enable automated publication of updated packages to the registry. Researchers have warned of similar intrusions impacting PyPI, Composer, RubyGems, and other repositories.
Execution of the updated Shai Hulud malware triggers a two-stage infection chain beginning with the installation of the Bun JavaScript runtime followed by the deployment of an obfuscated payload enabling credential harvesting, data theft, and self-propagation, according to Expel researchers.
After scouring and pilfering cloud provider keys, GitHub authentication data, and npm publishing tokens, as well as source code, git history, and configuration file secrets, Shai Hulud targets cloud-native secret managers for additional secret extraction.
New public GitHub repositories are then created by Shai Hulud to store stolen credentials and system metadata, with the malware then using breached developer accounts to enable automated publication of updated packages to the registry. Researchers have warned of similar intrusions impacting PyPI, Composer, RubyGems, and other repositories.




