Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center
Shai-Hulud is a self-propagating supply-chain worm that compromises legitimate npm packages by adding malicious files and install scripts. When a compromised package is installed, the worm gathers credentials and cloud secrets and uploads them to public GitHub repositories. It can also publish altered npm packages, which allows it to continue spreading across the npm ecosystem.
Symptoms
You might observe the following artifacts associated with this threat:
- Suspicious lifecycle scripts added to package.json, such as unexpected preinstall or install commands.
- Injected files including setup_bun.js, bun_environment.js, cloud.json, contents.json, or environment.json.
- Unexpected public GitHub repositories created from the affected environment.
- Unusual GitHub API activity, including new repositories or changes in repository visibility.
Technical Breakdown
Shai-Hulud spreads through modified npm packages that include malicious lifecycle scripts. These scripts install Bun and execute files such as setup_bun.js and bun_environment.js.
After executing, the worm attempts to collect credentials and cloud secrets from configuration files, environment files, and local development tooling. The stolen data is uploaded to public GitHub repositories controlled by the attacker.
If npm credentials are accessible in the environment, Shai-Hulud can republish modified versions of other npm packages maintained by the developer. This enables automated spread across the npm supply chain.
Read more about our Threat Intelligence team's breakdown of Shai-Hulud here.
Next Steps
Iru Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect. In addition to file-based protections, Iru EDR also monitors for and blocks certain behaviors associated with Shai-Hulud, helping ensure your devices stay protected even if malicious activity attempts to run.
While the malicious files are removed, this threat may leave behind artifacts that should be cleaned manually. It is recommended to review npm dependencies, reinstall from trusted versions, and rotate all developer and cloud credentials.