The Shai-Hulud 2.0 npm Worm: What Happened & How Stream Detected It

The Shai-Hulud 2.0 malware campaign, also known as "Sha1-Hulud: The Second Coming," has swiftly compromised numerous npm packages and GitHub repositories, exfiltrating sensitive data from thousands of developer environments. This self-propagating malware has backdoored over 700 npm packages and created more than 25,000 malicious GitHub repositories, impacting several prominent organizations. The attack is notable for its combination of credential harvesting, cross-victim exfiltration, and a destructive "dead-man's switch" that can wipe a user's home directory if certain conditions are not met. Stream's security platform provides real-time threat detection and analysis across various cloud and SaaS platforms, helping enterprises prepare and respond effectively to such incidents by automating detection, investigation, and response processes. The malware's methodology involves initial infection via npm preinstall scripts, credential harvesting, data exfiltration to public GitHub repositories, self-propagation using npm tokens, and the creation of a remote code execution backdoor through GitHub Actions. If the malware fails to propagate, it can execute a destructive mechanism that wipes user data, transforming the attack from espionage to sabotage. This campaign presents a significant escalation in supply-chain attacks, combining elements of ransomware and botnet infrastructure, emphasizing the need for adaptive, real-time security measures over static detection systems.