A resurrected and more vicious Shai-Hulud worm is silently tearing through the software supply chain, compromising developers and cloud pipelines at scale.
A new and far more aggressive version of the Shai-Hulud worm, theatrically named after the giant sandworms from the Dune movie, is once again ripping through developer ecosystems.
Although the initial attack, which left hundreds of CrowdStrike’s npm packages compromised, was believed to be contained by September 24th, Microsoft and independent security researchers now say the campaign never truly disappeared.
The second wave, now dubbed Shai-Hulud 2.0, has already infected over 25,000 GitHub repositories and has been seen compromising CI/CD environments and stealing credentials. Among the affected high-profile victims are Zapier, ENS, AsyncAPI, PostHog, and Postman.
“The Shai-Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently,” write the Microsoft security team in a blog post.
Microsoft has issued a defense blueprint addressing the widespread supply‑chain attack.
Why is the attack so effective?
The attack is extremely effective, as threat actors infiltrated maintainer accounts associated with widely used open-source projects, enabling them to inject malicious code directly into the pre-install phase of legitimate and trusted npm packages.
The malicious code executes before tests or security checks, so most of the traditional network defenses are unable to respond.
The worm steals credentials, which are exfiltrated to public attacker-controlled repositories. Compromised credentials enable attackers to escalate privileges, move laterally across cloud workloads, and further exploit the systems.
Microsoft observed the worm installing automation tools and secret-scanning utilities to harvest developer credentials, which were then uploaded into newly created repositories, sometimes under spoofed identities like “Linus Torvalds.”
What actions should organizations take?
In response to the new method of attack, Microsoft is urging organizations to take the following security steps:
- Revoke or rotate any exposed credentials before attackers can reuse them
- Isolate compromised CI/CD environments to stop further propagation
- Audit and tighten access permissions on key vaults, pipelines, and developer identities
- Maintainers of nmp should use trusted publishing instead of tokens
- Establish two-factor authentication (2FA) for any writes and publishing actions
Additionally, according to the company, Microsoft Defender for Cloud and Defender XDR have been flagging and alerting users to a malicious campaign since its inception, with notifications such as “Suspicious use of the shred command on hidden files” and “Sha1-Hulud Campaign Detected – Possible command injection to exfiltrate credentials.”
Defender for Endpoint is detecting the malware as Trojan JS/ShaiWorm.
To strengthen detection, Microsoft recommends that Defender customers connect GitHub, GitLab, and Azure DevOps environments to enable repository-to-runtime mapping, automated dependency scanning, and cross-platform correlation.
Microsoft Sentinel users can match indicators of compromise through Threat Intelligence mapping analytics.
After the first wave of attacks in September, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued a warning. It urged developers to thoroughly review their systems for affected packages, immediately delete all compromised developer credentials, and check for malicious leftovers.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked