Listen to this Post
Introduction
A stealthy, self-replicating supply chain attack dubbed “Mini Shai-Hulud” is actively targeting SAP’s Node.js ecosystem, leveraging seven stolen GitHub tokens to compromise 971 repositories and exfiltrate encrypted secrets. This campaign uses a bun‑based secret stealer that adapts to CI environments, recursively infects npm packages, and even hides a fallback payload double‑base64‑encoded inside commit messages.
Learning Objectives
- Dissect the credential‑harvesting, token exfiltration, and fallback mechanisms of the Mini Shai‑Hulud malware.
- Implement detection and mitigation strategies for stolen GitHub tokens and malicious npm packages.
- Harden CI/CD pipelines, rotate secrets, and perform incident response against self‑replicating supply chain attacks.
You Should Know
- Anatomy of the Attack: Credential Harvesting, Token Exfiltration & Fallback Payload
The malware begins by reading CI environment variables (e.g.,CI,GITHUB_TOKEN,NPM_TOKEN). If a GitHub personal access token (ghp_) is found locally, it encrypts collected secrets with RSA and exfiltrates them to the attacker’s GitHub account. If no token exists, it scans commit messages for the string'OhNoWhatsGoingOnWithGitHub:', then decodes a double‑base64‑encoded payload and uses that account for exfiltration. The RSA keys used are identical to those in the recent `@bitwarden/cli` attack.
Step‑by‑step guide to simulate and detect:
- Check CI environment variables (Linux/macOS):
`env | grep -E “CI|GITHUB_TOKEN|NPM_TOKEN”`
- Scan local Git history for the trigger string:
`git log –grep=’OhNoWhatsGoingOnWithGitHub’ –oneline`
- Decode the double‑base64 payload (Python example):
import base64 encoded = "c2VjcmV0..." replace with extracted string b64_once = base64.b64decode(encoded) final = base64.b64decode(b64_once) print(final.decode())
- Detect RSA public keys used for exfiltration:
`grep -r “BEGIN RSA PUBLIC KEY” .npmrc /root/.ssh/`
2. Detecting Compromised GitHub Tokens in Your Environment
Stolen tokens (pattern ghp_) allow attackers to read and write to repositories, escalate privileges, and propagate the malware. Use the GitHub CLI and local scanning to find exposed tokens.
Step‑by‑step detection:
- List all personal access tokens for a user (GitHub CLI):
`gh api /user/personal-access-tokens –jq ‘.[].token’` (requires admin rights)
- Scan local files for token patterns:
`grep -r –include=”.env” –include=”.json” “ghp_[A-Za-z0-9]” .`
- Audit GitHub Actions secrets exposure:
`gh api /repos/{owner}/{repo}/actions/secrets –jq ‘.secrets[].name’`
- Check if a token has been used in unusual locations:
`gh api /user/personal-access-tokens/{token_id}/events`
- Preventing npm Supply Chain Attacks with Integrity Checks and Auditing
Mini Shai‑Hulud spreads through compromised npm packages. Protect your projects by verifying package integrity and using lock files.
Step‑by‑step hardening:
- Audit dependencies for known vulnerabilities:
`npm audit –production –json > audit_report.json`
- Enforce exact versions and integrity via
package-lock.json:
`npm ci` (installs from lock file, fails if hashes mismatch) - Use `npm install –package-lock-only` to refresh lock file without installing.
- Add a pre‑install script to block untrusted packages (Windows/Linux example in `scripts` section of
package.json):"preinstall": "npx validate-npm-package-name --strict"
- Consider tools like Socket or Snyk for real‑time dependency scanning.
- Analyzing Malicious npm Packages with Bun and Payload Decoding
The malware is bundled with Bun (a fast JavaScript runtime). Analysts can extract and decode hidden payloads to understand attack vectors.
Step‑by‑step analysis:
- Install Bun and download the suspicious package:
`curl -fsSL https://bun.sh/install | bash`
`npm pack @suspicious/package`
`tar -xzf .tgz`
- Search for obfuscated strings or `OhNoWhatsGoingOnWithGitHub` inside package files:
`grep -r “OhNoWhatsGoingOnWithGitHub” package/`
- Decode double‑base64 payload from a commit (use the Python script from Section 1).
- Check for Bun‑specific runtime exfiltration code:
`grep -r “Bun.write\|Bun.spawn” package/`
- Monitor network calls from the package (sandboxed):
`bun run index.js &` then `lsof -i -P | grep bun`
5. Hardening CI/CD Pipelines Against Token Theft
Replace long‑lived personal access tokens with short‑lived, scoped tokens and OIDC authentication. Many stolen tokens in this campaign came from overly permissive CI secrets.
Step‑by‑step hardening (GitHub Actions as example):
- Use OIDC to authenticate with cloud providers:
Add permissions in workflow:
permissions: id-token: write contents: read
– Rotate any existing `ghp_` tokens immediately:
`gh auth refresh -h github.com` then revoke old tokens via Settings → Developer settings → Personal access tokens.
– Limit token scope to minimum required (e.g., `contents: read` not write).
– Store secrets in GitHub’s encrypted secrets, never in environment variables.
– For self‑hosted runners, clear `GITHUB_TOKEN` after job completion:
`unset GITHUB_TOKEN` in post‑job script.
- Incident Response: Revoking Tokens and Removing Malicious Commit Messages
If you suspect compromise, act fast to revoke tokens and clean infected repositories. The fallback payload hides in commit messages, so scanning history is critical.
Step‑by‑step IR:
- Revoke all active personal access tokens (GitHub UI or CLI):
`gh api -X DELETE /user/personal-access-tokens/{id}`
- Scan all local and remote commit messages for the trigger string:
`git log –all –grep=’OhNoWhatsGoingOnWithGitHub’ –format=”%H %s”`
- Remove the offending commits (if safe):
`git filter-branch –force –index-filter “git rm –cached –ignore-unmatch” –prune-empty –tag-name-filter cat — –all`
– Force push cleaned history:
`git push origin –force –all`
- Rotate all environment secrets, including npm tokens and cloud keys.
7. Forensic Analysis of Exfiltrated RSA‑Encrypted Secrets
The malware encrypts exfiltrated secrets using RSA public keys. If you capture the exfiltrated data (e.g., via network logs), you can attempt decryption only if the corresponding private key is known – which it isn’t. However, you can identify which RSA key was used by fingerprinting.
Step‑by‑step forensics:
- Extract the RSA public key from the malware sample:
`openssl rsa -pubin -in key.pem -text -noout`
- Search for same key in other incidents (correlate with `@bitwarden/cli` attack).
- Monitor network traffic for POST requests to attacker’s domain containing encrypted blobs:
`tcpdump -A -s 0 -l ‘tcp port 443 and host attacker.com’ | grep -B5 “RSA”`
– Use YARA rules to detect the key in your repository:rule MiniShaiHuludRSA { strings: $rsa = "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..." // example fingerprint condition: $rsa }
What Undercode Say
- Key Takeaway 1: Self‑replicating supply chain attacks are no longer theoretical – Mini Shai‑Hulud proves that stolen tokens and npm packages can be weaponized to spread malware recursively without human intervention.
- Key Takeaway 2: Defenders must urgently audit all GitHub tokens, replace long‑lived credentials with OIDC, and treat commit messages as a potential malware delivery channel. The fallback mechanism using ‘OhNoWhatsGoingOnWithGitHub’ highlights innovative persistence.
- Analysis: The campaign mirrors the ‘dependency confusion’ and ‘typosquatting’ techniques but adds a bun‑based runtime and RSA exfiltration identical to the Bitwarden CLI incident – suggesting a single threat actor reusing toolkits. Since the attack is still active, organizations using SAP npm packages should assume compromise and rotate all secrets immediately.
Prediction
Within the next six months, we will see a surge of self‑replicating npm malware that leverages stolen GitHub tokens and AI‑generated commit messages to evade detection. Supply chain attacks will shift from single‑package poisoning to multi‑repo worm‑like propagation, forcing platforms like GitHub to implement mandatory token expiration and real‑time runtime scanning. Expect regulatory action mandating software bills of materials (SBOM) and immutable CI/CD audit trails. Organizations that fail to adopt OIDC and automated token rotation will face repeated, automated breaches.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mthomasson A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
