Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems with Wormable NPM Backdoor
Trend Micro reveals Shai-hulud 2.0, a sophisticated malware campaign that steals cloud credentials and automatically backdoors NPM packages, creating a wormable supply-chain threat.
Trend Micro researchers have detailed a new iteration of the Shai-hulud malware campaign, dubbed Shai-hulud 2.0, which expands on its predecessor's credential theft capabilities to include automated backdooring of NPM packages. The campaign, first observed in a September 15 supply-chain attack, now uses a sophisticated malware variant that steals credentials and secrets from major cloud platforms—AWS, GCP, and Azure—as well as NPM tokens and GitHub authentication credentials. The malware's most alarming feature is its ability to automatically backdoor every NPM package maintained by a victim, republishing them with malicious payloads that execute on installation, creating a highly wormable threat with the potential to impact thousands of downstream users.
The attack chain begins with a malicious NPM package containing a preinstall script that executes during installation. The script, `setup_bun.js`, first checks if the Bun JavaScript runtime is installed on the victim's system. If not, it automatically downloads and installs Bun using official installation scripts from bun.sh, making the process appear legitimate. Once Bun is available, the script reloads the system PATH environment variable to ensure the newly installed executable is detected, then uses Bun to execute the main malware payload, `bun_environment.js`.
Shai-hulud 2.0's credential theft capabilities are extensive. The malware steals static credentials from AWS, GCP, and Azure cloud providers, including API keys, tokens, and passwords. It also targets NPM tokens and GitHub authentication credentials. Beyond static credentials, the malware uses stolen cloud credentials to access cloud-native secret management services: it can retrieve secrets from AWS using the AWS Secrets Manager API, extracts Google Cloud secrets through the GCP Secret Manager API, and collects Azure secrets via Azure Key Vault. The malware also targets credentials from Azure Pod Identity, a legacy system that remains widely used for providing Azure identities to Kubernetes pods.
The malware's supply-chain compromise capabilities are what set Shai-hulud 2.0 apart from its predecessor. After compromising a victim's account, the malware automatically backdoors every NPM package maintained by that victim. It republishes these packages with malicious payloads that run during package installation, creating a wormable vector capable of spreading exponentially across the NPM ecosystem. This entire workflow is automated and parallelized across up to 100 packages at once, maximizing propagation while keeping detection opportunities minimal. The malware also creates GitHub Actions workflows that allow for command-and-control (C&C) and injects GitHub Actions workflow mechanisms specifically designed to steal repository secrets.
The campaign was first detected in a September 15 incident where attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. That initial attack injected malicious code onto JavaScript packages to divert cryptocurrency assets by hijacking web APIs and manipulating network traffic. The Shai-hulud worm in that attack payload stole cloud service tokens, deployed secret-scanning tools, and spread to additional accounts. An incident on November 24 reported hundreds of NPM repositories compromised by what appears to be a new Shai-hulud campaign, with repository descriptions reading "Sha1-Hulud: The Second Coming."
Trend Micro notes that Shai-hulud 2.0 also exhibits destructive code that wipes user data when unsuccessful in harvesting data, adding a destructive element to the campaign. The malware's ability to automate supply-chain compromise at scale makes it a significant threat to the software development ecosystem. Trend Vision One detects and blocks the indicators of compromise outlined in the research, and provides customers with tailored threat hunting queries, threat insights, and intelligence reports.
The Shai-hulud 2.0 campaign represents an evolution in supply-chain attacks, moving from simple credential theft to automated, wormable propagation across the NPM ecosystem. By targeting cloud and developer platforms, the attackers aim to compromise not just individual developers but entire software supply chains, potentially affecting thousands of downstream users who trust the affected packages. This campaign underscores the growing sophistication of attacks targeting the software development lifecycle and the need for robust security measures in CI/CD pipelines and package management systems.