Shai Hulud Strikes Again (v2)

PostHog's GitHub Actions workflow was exploited as an entry point for the Shai Hulud v2 campaign, leading to a compromise that allowed attackers to steal GitHub secrets and publish malicious versions of PostHog SDKs. The campaign, primarily targeting the npm ecosystem, has extended into the Java/Maven ecosystem, compromising hundreds of packages and exposing secrets from thousands of GitHub repositories. The malware utilizes a two-stage loader to execute a stealthy payload that installs the Bun runtime, collects system information, and exploits CI/CD environments for privilege escalation. It exfiltrates data using a GitHub repository created with stolen tokens, employing triple-base64 encoding to evade detection. The attack highlights the vulnerabilities in CI/CD workflows, emphasizing the need for stricter security measures and vigilant monitoring of package dependencies.