SHOCKING: New ‘Shai-Hulud’ Worm Devours SAP Ecosystems—TeamPCP’s NPM Attack Unleashes Secret-Stealing Apocalypse! + Video

By /

Listen to this Post

Featured Image

Introduction:

A new strain of malware worm, dubbed “Mini Shai-Hulud” and attributed to the notorious TeamPCP group, is actively compromising the SAP ecosystem via malicious npm packages. By exploiting npm’s automatic `preinstall` scripts, the worm downloads a Bun runtime, steals secrets from infected environments (including CI/CD pipelines), and publishes encrypted credentials to public GitHub repositories—using a hidden dead‑drop marker to propagate further.

Learning Objectives:

  • Understand how malicious `preinstall` scripts in npm packages can lead to silent supply‑chain compromise.
  • Detect and block npm‑based worms that target CI/CD secrets and propagate via GitHub markers.
  • Implement practical Linux/Windows commands and security controls to mitigate similar attacks.
  1. Malicious Preinstall Scripts – The Silent Entry Point

The attack begins with a tampered `package.json` that includes a `preinstall` script. npm executes this script automatically before the package is fully installed—giving the attacker immediate code execution.

Step‑by‑step guide to inspect and block malicious preinstall scripts:

1. Audit existing `package.json` files for suspicious scripts:

 Linux/macOS
grep -A 5 '"scripts"' package.json | grep -E 'preinstall|postinstall'

 Windows (PowerShell)
Select-String -Path package.json -Pattern '"preinstall"|"postinstall"'
  1. Prevent automatic script execution during npm install (use in CI/CD): 
    npm install --ignore-scripts

  2. Use a sandbox or container for untrusted packages: 

    docker run --rm -v "$PWD":/app -w /app node:18 npm install --ignore-scripts

2. Bun‑Based Payload Execution – Downloading the Malware

The preinstall script (e.g., setup.mjs) downloads a specific version of Bun (v1.3.13) from a GitHub repository and executes execution.js. This two‑stage approach evades static detection.

Step‑by‑step detection and response:

1. Monitor outbound connections for suspicious GitHub downloads:

 Linux – watch for bun download patterns
sudo tcpdump -i eth0 -n 'dst host github.com and port 443' -A | grep -i "bun-v1.3.13"

 Windows – using netsh and netstat (after the fact)
netstat -ano | findstr "443" | findstr "github.com"
  1. Check for unexpected Bun binaries on your system: 
    find / -name "bun" -type f 2>/dev/null

  2. Blocklist the known malicious URL pattern in your firewall/proxy:
    `https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/`

  3. GitHub Actions CI/CD Targeting – Secret Theft Mode

The malware checks for process.env.GITHUB_ACTIONS. If true, it switches to a high‑value secret‑stealing mode, harvesting tokens, keys, and credentials from the CI environment.

Mitigation commands and configurations:

  1. Never store plaintext secrets in GitHub Actions – use encrypted secrets: 
    .github/workflows/secure.yml
steps:</li>
</ol>

- name: Use secret
run: echo "${{ secrets.MY_SECRET }}"  safe reference
    1. Detect if your runner is compromised by checking for unexpected process execution: 
      Linux – list all node processes with arguments
ps aux | grep -E 'node|bun' | grep -v grep

      Windows – PowerShell
Get-Process | Where-Object { $_.ProcessName -match "node|bun" } | Select-Object Id, ProcessName, StartTime

    2. Add a pre‑install hook to reject packages with `preinstall` scripts in CI: 

      .npmrc – disable scripts globally in CI
ignore-scripts=true

    3. Exfiltration via GitHub – Encrypted Secrets & Dead‑Drop Markers

    Stolen secrets are encrypted and published to public GitHub repositories with the description: “A Mini Shai‑Hulud has Appeared”. The malware also searches for a base64‑encoded dead‑drop marker:

    `OhNoWhatsGoingOnWithGitHub:`

    How to detect exposed secrets in your org:

    1. Search GitHub for the marker (using GitHub CLI): 
      gh search repos "OhNoWhatsGoingOnWithGitHub" --language=any

    2. Scan your own repositories for unexpected public commits: 

      Linux – clone and grep all branches
git clone --mirror https://github.com/your-org/your-repo.git
cd your-repo.git
git grep -i "OhNoWhatsGoingOnWithGitHub"

    3. Rotate any exposed secrets immediately – assume the attacker has the decryption key.

    4. Propagation Mechanism – Worm Behavior via Token Harvesting

    The malware searches GitHub commit history for the dead‑drop marker, decodes the base64 content, and treats it as a potential GitHub token. This allows it to infect new repositories using the stolen token.

    Step‑by‑step to break the worm chain:

    1. Revoke all GitHub tokens that may have been exposed:

    – Go to GitHub Settings → Developer settings → Personal access tokens → Revoke suspicious tokens.

    1. Monitor for unauthorized GitHub API calls from your IPs: 
      Linux – audit API calls from CI runners
sudo journalctl -u actions-runner | grep "Authorization: token"

    2. Implement a webhook to alert on new repositories containing the marker: 

      Example webhook payload filter (pseudo)
if "OhNoWhatsGoingOnWithGitHub" in payload['description']:
alert("Possible Shai-Hulud activity detected")

    3. Hardening Your NPM Supply Chain – Proactive Defenses

    Prevent this class of attack by securing your package installation process.

    Commands and configurations for Linux/Windows:

    1. Use npm’s `–ignore-scripts` by default in production and CI: 
      npm ci --ignore-scripts

    2. Verify package integrity with `npm audit` and npm outdated: 

      npm audit --audit-level=high

    3. Employ a dependency firewall like `sandbox` or `bwrap` (Linux) to restrict network access during install: 

      bwrap --ro-bind /usr /usr --ro-bind /bin /bin --proc /proc --dev /dev --unshare-net npm install

    4. Windows – Use AppLocker or WDAC to block execution of unsigned Node.js scripts: 

      New-AppLockerPolicy -RuleType Exe -User Everyone -Action Deny -Path "%USERPROFILE%\AppData\Local\Temp\"

    What Undercode Say

    • Key Takeaway 1: The `preinstall` script is a massive supply‑chain risk. Organizations must treat `npm install` as an execution step, not a read‑only operation.
    • Key Takeaway 2: Attackers now encrypt exfiltrated secrets, rendering traditional base64 scanning useless. Runtime detection and CI/CD isolation are the only reliable countermeasures.

    Analysis: The Mini Shai‑Hulud worm represents a maturity leap in npm‑based malware. By downloading Bun (a legitimate runtime) and conditionally targeting GitHub Actions, the attackers achieve high stealth and persistence. The use of version‑specific URLs and encrypted exfiltration suggests a well‑resourced group. The dead‑drop marker cleverly turns GitHub’s own search into a propagation vector. For defenders, this means rethinking “trust by default” in dependency managers and implementing zero‑trust pipelines where scripts are either blocked or run only in disposable, network‑isolated environments.

    Prediction

    Within 12 months, we will see automated AI‑powered scanners that detect anomalous `preinstall` behavior (e.g., network calls to GitHub releases, process environment checks) before installation. However, attackers will counter with polymorphic script loaders and use legitimate package registries to host encrypted payloads. The long‑term solution lies in package managers adding mandatory script sandboxing and requiring user consent for any network‑bound preinstall hook. Until then, every `npm install` is a potential worm invitation.

    ▶️ Related Video (84% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Advocatemack %F0%9D%97%A1%F0%9D%97%B2%F0%9D%98%84 – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: