A new report out today from managed detection and response company Expel Inc. details a newly identified variant of the Shai Hulud malware that is demonstrating how software supply chain attacks are evolving beyond isolated package compromises into self-propagating campaigns that turn developers themselves into distribution points.

Shai Hulud is a malware campaign first observed in September targeting the JavaScript ecosystem that focuses on supply chain compromise rather than traditional endpoint infection, using trojanized node packet manager or npm packages to steal credentials and propagate itself.

The updated Shai Hulud campaign targets the JavaScript ecosystem by automating the compromise of developer environments and the NPM package registry through a combination of credential harvesting, cloud secret theft and rapid self-propagation.

Once executed, typically during an npm install operation on a developer workstation or continuous integration and continuous delivery system, the malware deploys a two-stage infection chain embedded in malicious npm packages.

The first stage of the new Shai Hulud variant prepares the targeted environment by installing the Bun JavaScript runtime if it is not already present on the system. The second stage then involves the launch of a heavily obfuscated payload running in the background that orchestrates credential harvesting, data exfiltration and propagation.

The malware aggressively searches for sensitive credentials across local systems, including cloud provider keys, npm publishing tokens and GitHub authentication data. It also leverages the TruffleHog security scanning tool to crawl a victim’s home directory for hard-coded secrets buried in source code, configuration files and git history.

If Shai Hulud finds cloud credentials, it goes a step further by querying cloud-native secret managers such as Amazon Web Services Inc.’s Secrets Manager, Microsoft Corp.’s Azure Key Vault and Google LLC’s Cloud Secret Manager to extract additional secrets directly from the cloud.

At this point, Shai Hulud differs from traditional malware by abusing GitHub infrastructure to blend in with legitimate developer traffic instead of using command and control servers. All stolen credentials and system metadata are exfiltrated to newly created public GitHub repositories. Infected machines are also registered as self-hosted GitHub Actions runners to give the attackers persistent remote access.

To sustain the attack, the malware weaponizes compromised developer accounts by injecting malicious code into other npm packages maintained by the victim and automatically publishing updated versions to the registry.

Expel estimates the campaign has touched more than 25,000 repositories and hundreds of packages, including projects associated with widely used developer tools.

The report concludes by noting that Shai Hulud represents a shift in supply chain risk by targeting the trust layer of modern software development. Though the current campaign focuses on npm, Expel warns that similar attacks could emerge across other language ecosystems that rely on comparable trust models, including PyPI, RubyGems and Composer.

Image: SiliconANGLE/Ideogram