Shai-Hulud

MITRE Tactic Representative Techniques What We Observed Valid Accounts T1078.004 (Cloud accounts) Jenkins instance role used from external IPs

The Miasma malware campaign has claimed another victim, poisoning more than 20 versions of legitimate npm packages used by the Leo Platform and RStreams ecosystems... attackers compromised an npm maintainer account, "czirker," and used it to publish poisoned updates to more than 20 packages

optionalDependencies → github:tanstack/router#79ac49ee... as a standalone commit; ... Variant: @cap-js/openapi 1.4.1 only pointed optionalDependencies to an attacker-controlled GitHub commit, with no malicious files inside the package tarball. | The attacker forked zblgg/configuration, and PR #7378 triggered bundle-size.yml via pull_request_target, executing forked code within the secure context of the base repository.

MITRE Tactic Representative Techniques What We Observed Initial Access T1195.002 (Supply chain compromise) Prior Shai Hulud exposure; suspected Jenkins persistence

~/.config/systemd/user/gh-token-monitor.service ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ~/.local/share/updater/update.py ~/.local/share/updater/ update-monitor.service

When npm sees a package with binding.gyp and no explicit install script, it falls back to running node-gyp rebuild. During that process, node-gyp expands shell commands embedded in <!(...) expressions. Attackers can abuse this behavior to execute the payload during package installation... "sources" : [ "<!(node index.js > /dev/null 2>&1 && echo stub.c)" ]

After validating the signature, it downloads and executes remote Python content.

After decryption, Stage 2 writes the Core Malicious Payload to /tmp, executes it through Bun, and then deletes the temporary file. | All three samples trigger the attack chain through the preinstall lifecycle hook in package.json: "scripts" : { "preinstall" : "node index.js" } preinstall is automatically executed during the npm installation process.

~/.config/systemd/user/gh-token-monitor.service ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ~/.local/share/updater/update.py ~/.local/share/updater/ update-monitor.service

MITRE Tactic Representative Techniques What We Observed Valid Accounts T1078.004 (Cloud accounts) Jenkins instance role used from external IPs

GitHub dead-drop exfiltration by creating repositories under a usable GitHub token and committing encrypted result files under results/ .

Claude Code SessionStart hook... VS Code folderOpen task... causing the same script to execute automatically whenever an infected project folder is opened.

npm, PyPI, RubyGems, JFrog/Artifactory, GitHub Actions, and AI-tool persistence logic. gh-token-monitor dead-man switch behavior. GitHub Actions secret-dump workflow logic using VARIABLE_STORE and format-results.txt .

~/.config/systemd/user/gh-token-monitor.service ~/Library/LaunchAgents/com.user.gh-token-monitor.plist ~/.local/share/updater/update.py ~/.local/share/updater/ update-monitor.service

The samples embed memory-dumping scripts for Linux, Windows, and macOS... When GITHUB_ACTIONS === “true” and RUNNER_OS === “Linux”, the code locates the Runner.Worker process and dumps its memory.

MITRE Tactic Representative Techniques What We Observed Valid Accounts T1078.004 (Cloud accounts) Jenkins instance role used from external IPs

Claude Code SessionStart hook... VS Code folderOpen task... causing the same script to execute automatically whenever an infected project folder is opened.

Root-level router_init.js (approximately 2.3MB, triple-layer obfuscation...); ... index.js (498KB obfuscated)

The payload still contains Anthropic camouflage: api.anthropic.com v1/api As in the previous Miasma analysis, this appears to be use of a legitimate-looking API host/path as camouflage rather than evidence of a compromised Anthropic service.

The samples embed memory-dumping scripts for Linux, Windows, and macOS... When GITHUB_ACTIONS === “true” and RUNNER_OS === “Linux”, the code locates the Runner.Worker process and dumps its memory.

After decryption, Stage 2 writes the Core Malicious Payload to /tmp, executes it through Bun, and then deletes the temporary file.

MITRE Tactic Representative Techniques What We Observed Valid Accounts T1078.004 (Cloud accounts) Jenkins instance role used from external IPs

The Stage 2 code decoded from the ROT/Caesar layer uses Node.js crypto.createDecipheriv to perform AES-128-GCM decryption... The decryption targets are two subsequent components: the Bun Runtime Bootstrapper and the Core Malicious Payload.

npm, PyPI, RubyGems, JFrog/Artifactory, GitHub Actions, and AI-tool persistence logic. gh-token-monitor dead-man switch behavior. GitHub Actions secret-dump workflow logic using VARIABLE_STORE and format-results.txt .

The code does not use SEED_PAT unconditionally. It first checks whether the GitHub Actions GITHUB_REPOSITORY environment value contains Seeder. Only in that case does it read SEED_PAT and add that token as a GitHub sender.

the payload begins collecting credentials stored across files, environment variables, shell history, GitHub CLI tokens, cloud access keys, and CI/CD pipeline secrets.

It retains the familiar behavior: Broad credential collection from files, environment variables, shell history, GitHub CLI tokens, cloud credentials, package-manager tokens, and CI/CD environments.

It retains the familiar behavior: Broad credential collection from files, environment variables, shell history, GitHub CLI tokens, cloud credentials, package-manager tokens, and CI/CD environments.

On the Jenkins host, investigators observed access to the instance metadata service (IMDS) consistent with credential theft: curl -s --connect-timeout 3 hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/

It retains the familiar behavior: Broad credential collection from files, environment variables, shell history, GitHub CLI tokens, cloud credentials, package-manager tokens, and CI/CD environments.

npm, PyPI, RubyGems, JFrog/Artifactory, GitHub Actions, and AI-tool persistence logic. gh-token-monitor dead-man switch behavior. GitHub Actions secret-dump workflow logic using VARIABLE_STORE and format-results.txt .

Once running, the payload collects credentials from a wide range of sources on the developer’s machine. It targets GitHub tokens, npm and PyPI publishing credentials, AWS access keys, JFrog and Artifactory tokens, and SSH keys.

The Core Malicious Payload detects multiple EDR and security products by checking process names and installation paths

These libraries tend to show up close to cloud infrastructure, event pipelines, and CI/CD systems, exactly the places where npm installation can run with access to AWS credentials, GitHub tokens, npm publishing credentials, and application secrets.

Check whether the Docker socket /var/run/docker.sock is available; Enumerate Docker containers and match the keywords harden-runner or stepsecurity in container names or images;

SSH lateral movement using ai_setup.sh and ai_init.js .

SSH lateral movement using ai_setup.sh and ai_init.js .

the payload implements a dead-drop mechanism based on GitHub commit search. It retrieves C2 instructions by searching for the marker “thebeautifulmarchoftime “... YZ.bin is a standalone GitHub commit monitor

After successful signature verification, it downloads and executes remote Python content.

Exfiltration: HTTPS + GitHub API + DNS

GitHub dead-drop exfiltration by creating repositories under a usable GitHub token and committing encrypted result files under results/ ... If a usable token is available, it can create a repository under the token owner and write result files under: results/results-<timestamp>-<counter>.json

A GitHub Actions workflow disguised as Run Copilot writes ${{ toJSON(secrets) }} into format-results.txt and uploads the file as an artifact.

Terminate matching containers via POST /containers/<id>/kill; Create a privileged Alpine container and modify sudoers... Write invalid hostname resolutions for StepSecurity-related domains into /etc/hosts; Overwrite /etc/resolv.conf