Shai-Hulud Strikes Again: 23 npm Packages Compromised in Multi-Stage Supply Chain Attack—Are Your CI/CD Pipelines Next? + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction

The Shai-Hulud malware family—named after the giant sandworms of Dune—has proven to be one of the most persistent and evolving threats in the software supply chain ecosystem. First discovered in September 2025, this self-propagating worm has continuously mutated, with variants like Miasma and Hades demonstrating increasing sophistication in evasion, propagation, and credential theft. The latest variant, detected by OX Security researchers, has compromised 23 npm packages across the `leo-` namespace, amassing 52,640 monthly downloads and infecting 338 GitHub repositories with stolen credentials. What makes this iteration particularly alarming is its use of three compromised accounts across npm and GitHub, a multi-stage dropper that weaponizes fifth-stage payloads, and a novel command-and-control mechanism that leverages GitHub commits as a dynamic C2 channel.

Learning Objectives

• Understand the infection chain of the Shai-Hulud / Miasma / Hades variant, including the binding.gyp execution vector and multi-stage dropper logic.
• Learn how attackers use GitHub as a C2 infrastructure and payload delivery mechanism via compromised accounts and commit messages.
• Master practical detection and mitigation techniques, including package verification, credential rotation, and CI/CD pipeline hardening.
• Gain hands-on experience with Linux/Windows commands and security tools to identify and block malicious npm packages.

1. The Infection Chain: How a Single npm Install Compromises Your Entire Pipeline

The latest Shai-Hulud variant employs a multi-stage dropper that begins execution the moment a malicious package is installed. Unlike traditional npm malware that relies on `postinstall` scripts, this variant leverages a preconfigured `binding.gyp` file—a configuration file used for native add-on compilation—which executes automatically during installation without triggering typical security alarms.

Step-by-Step Breakdown of the Attack

Stage 1 – Initial Compromise: The attacker compromises a legitimate developer npm account—in this case, the account czirker. The credentials were likely obtained through infostealer logs, with similar campaigns showing credentials sitting in logs for up to seven weeks before weaponization.

Stage 2 – Malicious Package Publication: The attacker publishes updated versions of 23 packages under the `leo-` namespace, embedding the malicious `binding.gyp` file.

Stage 3 – Installation-Time Execution: When a developer runs npm install, the `binding.gyp` file executes, initiating the dropper chain without requiring a `postinstall` script.

Stage 4 – Payload Download: The malware reaches out to GitHub repositories controlled by the attacker—specifically accounts `miaxxxxxx` and l3v1cs—to download subsequent payload stages.

Stage 5 – Credential Theft and Exfiltration: The malware steals GitHub tokens, npm tokens, AWS/GCP/Azure cloud credentials, and local environment information. Stolen data is uploaded to GitHub using the marker string “Alright Lets See If This Works” .

Stage 6 – Persistence and Propagation: The malware continues to download fifth and sixth-stage payloads, creating an endless loop of malicious activity.

Detection Commands

To check if your project uses any of the affected packages, run:

 List all installed packages and grep for affected ones
npm list --depth=0 | grep -E "leo-sdk|leo-cli|leo-auth|leo-connector-common|leo-connector-mysql|leo-connector-postgres|leo-connector-elasticsearch|leo-connector-mongo|leo-aws|leo-config|leo-connector-entity-table|leo-logger|leo-streams|leo-cache|leo-connector-oracle|leo-connector-redshift|serverless-leo|leo-cron|serverless-convention|solo-1av|rstreams-metrics|leo-cdk-lib|rstreams-shard-util"

For Windows (PowerShell):

npm list --depth=0 | Select-String -Pattern "leo-sdk|leo-cli|leo-auth|leo-connector-common|leo-connector-mysql|leo-connector-postgres|leo-connector-elasticsearch|leo-connector-mongo|leo-aws|leo-config|leo-connector-entity-table|leo-logger|leo-streams|leo-cache|leo-connector-oracle|leo-connector-redshift|serverless-leo|leo-cron|serverless-convention|solo-1av|rstreams-metrics|leo-cdk-lib|rstreams-shard-util"

Mitigation: Downgrade to Safe Versions

 Example: Downgrade leo-sdk to a safe version (check npm for the last known good version)
npm install [email protected]  Replace with actual safe version

1. GitHub as C2: The “Firedalazer” Payload Delivery Mechanism

One of the most innovative—and dangerous—aspects of this attack is the use of GitHub as a command-and-control (C2) infrastructure. The malware doesn’t rely on traditional C2 servers that can be easily blocked; instead, it uses public GitHub repositories and commit messages as a dynamic channel for payload delivery and command execution.

How the C2 Mechanism Works

The malware periodically queries the GitHub Commit Search API at `https://api.github.com/search/commits` looking for commits containing the keyword “firedalazer” . When a matching commit is found, the malware decodes the URL embedded in the commit message, which points to a payload hosted in a compromised GitHub repository.

The decoded URL ultimately points to an `index.js` file inside the repository l3v1cs/Html-Bootstrap-TinDog. This payload then downloads additional stages, including the “Hades The End for the Damned” variant, which has already infected 179 GitHub repositories.

Step-by-Step: Identifying Compromised Repositories

To identify if your organization’s repositories have been targeted, search GitHub for the marker strings:

 Search for the primary marker
curl -H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/search/repositories?q=%22Alright+Lets+See+If+This+Works%22"

Search for the Hades variant marker
curl -H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/search/repositories?q=%22Hades++The+End+for+the+Damned%22"

Blocking Malicious GitHub Domains

Add the following entries to your `/etc/hosts` file (Linux/macOS) or `C:\Windows\System32\drivers\etc\hosts` (Windows) to block known malicious payload URLs:

127.0.0.1 raw.githubusercontent.com/l3v1cs/Html-Bootstrap-TinDog/e027c6ea4c8042c4778dc4f392bf5f94a3c6310d/setup.py
127.0.0.1 raw.githubusercontent.com/l3v1cs/Html-Bootstrap-TinDog/cb6699faacade9775d3d83059d6ba6a756755193/index.js

Enterprise Mitigation: Blocking GitHub Search API Access

For enterprises, consider restricting outbound API access to GitHub from build environments:

 Block GitHub API access using iptables (Linux)
iptables -A OUTPUT -d api.github.com -j DROP

Or using Windows Firewall
New-1etFirewallRule -DisplayName "Block GitHub API" -Direction Outbound -RemoteAddress api.github.com -Action Block

3. Credential Theft and the Underground Economy

The primary objective of the Shai-Hulud / Miasma malware is credential harvesting. The malware steals:

• GitHub tokens – used to push malicious code to repositories and publish compromised packages
• npm tokens – used to publish malicious package versions
• Cloud credentials – AWS, GCP, and Azure access keys
• Local environment variables – often containing API keys and secrets

The Seven-Week Credential Gap

Research has revealed that the credentials used in these attacks often sit in infostealer logs for weeks or even months before being weaponized. In the case of the Red Hat compromise, credentials were exposed as early as April 13, 2026, but weren’t used until June 1. This lag represents a critical window for detection and remediation.

Proactive Credential Hygiene

Step 1 – Audit all npm tokens:

 List all npm tokens
npm token list

Revoke any suspicious tokens
npm token revoke <token-id>

Step 2 – Audit GitHub tokens and SSH keys:

 List GitHub SSH keys (using GitHub CLI)
gh auth status
gh api user/keys

List personal access tokens
gh api user/tokens

Step 3 – Rotate cloud credentials:

 AWS – Rotate access keys
aws iam create-access-key --user-1ame <your-username>
aws iam delete-access-key --access-key-id <old-key-id> --user-1ame <your-username>

GCP – Rotate service account keys
gcloud iam service-accounts keys list --iam-account=<service-account-email>
gcloud iam service-accounts keys delete <key-id> --iam-account=<service-account-email>
gcloud iam service-accounts keys create <new-key-file> --iam-account=<service-account-email>

4. Enabling 2FA and Hardening npm Accounts

The compromised `czirker` account highlights a critical vulnerability: accounts without multi-factor authentication (2FA) are primary targets. npm has been actively encouraging 2FA adoption, but many developers still haven’t enabled it.

Step-by-Step: Enable 2FA on npm

1. Log in to npm and navigate to Account Settings.

2. Select “Enable 2FA” under the Security section.

1. Choose between “Authorization Only” (for publishing) or “Authorization and Publishing” (full protection).
2. Scan the QR code with an authenticator app (Google Authenticator, Authy, etc.).
3. Save the backup codes in a secure location.

Enforce 2FA at the Organization Level

For npm organizations, enforce 2FA for all members:

 Using npm CLI (organization admin only)
npm org set <org-1ame> 2fa-required true

GitHub 2FA Enforcement

 Using GitHub CLI to check 2FA status for organization members
gh api orgs/<org-1ame>/members --paginate | jq '.[] | select(.two_factor_authentication == false) | .login'

5. Detecting Malicious binding.gyp Files

The use of `binding.gyp` as an execution vector is a significant evasion technique because these files are typically associated with legitimate native add-on compilation. Security tools that only scan `postinstall` and `preinstall` scripts will miss this attack.

Manual Inspection

Check your `node_modules` directories for suspicious `binding.gyp` files:

 Linux/macOS – Find all binding.gyp files and inspect their contents
find node_modules -1ame "binding.gyp" -exec cat {} \; | grep -E "curl|wget|base64|eval|exec|child_process"

Windows PowerShell
Get-ChildItem -Path .\node_modules -Filter binding.gyp -Recurse | ForEach-Object { Get-Content $_.FullName } | Select-String -Pattern "curl|wget|base64|eval|exec|child_process"

Automated Scanning with npm Audit

While `npm audit` doesn’t catch all malicious packages, it’s still a useful first line of defense:

npm audit --production
npm audit fix --dry-run

Using Third-Party Tools

Consider using specialized supply chain security tools like:

• Socket – detects obfuscated code and high-risk dependencies
• Snyk – provides vulnerability scanning and remediation
• FOSSA – offers package blocking for confirmed malicious packages

1. Incident Response: What to Do If You’re Infected

If you discover that your environment has been compromised by the Shai-Hulud / Miasma / Hades variant, follow this incident response plan:

Immediate Actions

1. Isolate the infected system from the network to prevent further credential exfiltration.
2. Identify all affected repositories – search GitHub for the markers “Alright Lets See If This Works” and “Hades The End for the Damned”.
3. Revoke all credentials that were present on the infected system, including:

– npm tokens
– GitHub tokens and SSH keys
– AWS/GCP/Azure access keys
– Any API keys stored in environment variables

4. Downgrade affected packages to safe versions.

Forensic Analysis

Check for the following Indicators of Compromise (IOCs):

Public encryption keys (Miasma variant):

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAut0YWEh9/gZIsSoF6feF
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwtmpAkLxoe3q3BxHOLPE

Public encryption keys (Hades variant):

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAifY0q2qOZke8FTr7c23d
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy/uXzJGGCEF39GtSJk9H

Relevant strings:

– `Alright Lets See If This Works`
– `TheBeautifulSandsOfTime`
– `thebeautifulmarchoftime`
– `RevokeAndItGoesKaboom`

Known malicious URLs:

– `https://raw.githubusercontent.com/l3v1cs/Html-Bootstrap-TinDog/e027c6ea4c8042c4778dc4f392bf5f94a3c6310d/setup.py`
– `https://raw.githubusercontent.com/l3v1cs/Html-Bootstrap-TinDog/cb6699faacade9775d3d83059d6ba6a756755193/index.js`

7. Hardening CI/CD Pipelines Against Supply Chain Attacks

CI/CD pipelines are a prime target for supply chain attackers because they have access to production credentials and can propagate malware across the entire software delivery lifecycle.

Best Practices

1. Use a Private npm Registry: Mirror all npm packages through a private registry (e.g., JFrog Artifactory, GitHub Packages) to audit and control what gets installed.

 Configure npm to use a private registry
npm config set registry https://your-private-registry.com/

1. Pin Package Versions: Never use `^` or `~` in `package.json` for production dependencies. Pin to exact versions.

{
"dependencies": {
"leo-sdk": "6.0.18" // Instead of "^6.0.18"
}
}

1. Scan All Dependencies: Integrate SCA (Software Composition Analysis) tools into your CI/CD pipeline.

 GitHub Actions example
- name: Run Snyk Security Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high

1. Block Installation-Time Execution: Use npm’s `ignore-scripts` flag to prevent any scripts from running during installation.

npm install --ignore-scripts

For production builds, consider using `–production` flag to skip devDependencies.

1. Use Package Blockers: Tools like FOSSA’s Package Blocker can block known malicious packages.

What Undercode Say

• Key Takeaway 1: The Shai-Hulud / Miasma / Hades variant represents a significant evolution in supply chain attacks, using GitHub as a C2 channel and `binding.gyp` as an execution vector that bypasses traditional security controls. The use of three compromised accounts across npm and GitHub demonstrates the attackers’ operational maturity and ability to maintain persistence.

• Key Takeaway 2: The seven-week credential exposure window is a critical finding—organizations must implement continuous credential monitoring and automated rotation to close this gap. The fact that credentials can sit in infostealer logs for months before being weaponized underscores the importance of proactive security hygiene.

Analysis: This attack is not an isolated incident but part of a broader trend where open-source ecosystems are becoming the primary battleground for supply chain attacks. The Shai-Hulud malware family has evolved from a simple npm worm to a sophisticated, multi-platform threat that now targets PyPI, GitHub Actions, and even VSCode extensions. The use of GitHub as C2 is particularly concerning because it leverages a trusted platform that organizations cannot simply block without disrupting legitimate development workflows. This attack also highlights the growing underground economy for developer credentials, where stolen tokens are traded and weaponized by multiple threat actors with distinct motivations.

The detection of different public encryption keys in this variant suggests a new actor is behind this wave, not the previously identified TeamPCP group. This fragmentation of threat actors makes attribution and defense more challenging, as each group may use slightly different techniques and indicators.

Prediction

• -1: The use of GitHub as a C2 channel will become standard practice for supply chain attackers, making detection significantly harder. Organizations will need to implement behavioral monitoring of outbound API calls to detect anomalous GitHub search queries.

• -1: The credential exposure window will continue to widen as infostealer operators build larger databases of compromised credentials. We can expect to see credentials being weaponized months or even years after initial theft, making traditional incident response timelines obsolete.

• +1: The open-source community will respond with stronger security defaults, including mandatory 2FA for all npm publishers and automated scanning of `binding.gyp` and other installation-time execution vectors. npm’s promised malicious code detection, if implemented effectively, could significantly reduce the impact of future attacks.

• -1: Attackers will increasingly target CI/CD pipelines and AI coding assistants as the next frontier, using prompt injection and workflow manipulation to propagate malware. The integration of AI tools into development workflows creates new attack surfaces that are poorly understood and inadequately secured.

• +1: The Shai-Hulud open-source leak will ironically lead to better defenses, as security researchers gain access to the malware’s source code and can develop more effective detection signatures and mitigation strategies. However, it also lowers the barrier to entry for copycat attackers.

▶️ Related Video (76% Match):

https://www.youtube.com/watch?v=7PjHBumPKDY

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Hexploit Shai – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky