■■■■■ Shai Hulud is a self-replicating npm worm that executes malicious code via the postinstall script during package installation. It uses the TruffleHog tool to scan the system, steal sensitive information (such as API keys and tokens), and upload it to randomly named repositories on GitHub.
These repositories have a uniform description of “Sha1-Hulud: The Second Coming”, and over 26.8k such repositories have been discovered so far.
Unlike the previous attack, this time it introduces the setup_bun.js script to install the Bun runtime, followed by executing the core malicious file bun_environment.js.
If GitHub or npm authentication fails, the attacker will delete all files in the user’s home directory. The attack started at 3:16 AM, with the first wave targeting go-template and 36 AsyncAPI packages, then expanding to PostHog (4:11) and Postman (5:09), with targets increasing from 20 to a maximum of 100.
https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
Shai-Hulud 2.0: Ongoing Supply Chain Attack
https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack