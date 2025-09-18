How the malware works

The Shai-Hulud malware works with a multistage attack. It starts with phishing campaigns that steal developer credentials, often targeting GitHub and npm tokens. It then injects malicious code into the postinstall scripts of npm packages. When a developer installs a compromised package, the script performs several actions.

Credential harvesting: It scans the environment for sensitive data like GitHub PATs, npm tokens, SSH keys, and cloud provider keys (AWS, GCP, Azure). Some variants use tools like TruffleHog to hunt for secrets more aggressively.

Data exfiltration: The stolen data is encoded (often double-base64) and dumped into a public GitHub repo named Shai-Hulud under a file like data.json. It also tries to send data to a webhook (e.g., webhook[.]site), though some of these have been shut down due to excessive activity.

Worm propagation: If it finds valid npm tokens in the environment, it uses them to publish malicious versions of other packages the maintainer controls, creating a self-replicating cycle that spreads the infection across the npm ecosystem.

Persistence: The malware pushes malicious GitHub Actions workflows (often named shai-hulud-workflow.yml) to accessible repositories. These workflows exfiltrate more secrets, and in some cases, convert private organizational repos to public ones under attacker-controlled accounts, tagged with "Shai-Hulud Migration" and a -migration suffix.

This attack builds on earlier compromises like S1ngularity/Nx, where stolen GitHub tokens led to broader supply chain attacks. It’s one of the first successful self-propagating worms in the npm ecosystem, making it a serious threat.