Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

Dec. 21, 2025, 6:08 p.m.

Description

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware targets AWS, GCP, and Azure credentials, as well as NPM tokens and GitHub authentication. It creates malicious GitHub Actions workflows for command-and-control and secret exfiltration. The campaign also leverages cloud secret management services and implements destructive failsafes. Its sophisticated tactics allow for stealthy compromise of developer ecosystems, potentially impacting thousands of downstream users.

External References

https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html
https://otx.alienvault.com/pulse/69285c74af9f622adc6b66d1
Tags
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp

Date

  • Created: Nov. 27, 2025, 2:13 p.m.
  • Published: Nov. 27, 2025, 2:13 p.m.
  • Modified: Dec. 21, 2025, 6:08 p.m.

Indicators

  • f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068
  • cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd
  • 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0
  • f1df4896244500671eb4aa63ebb48ea11cee196fafaa0e9874e17b24ac053c02
  • a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a
  • e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918
Download all indicators here!

Attack Patterns

  • Shai-hulud
  • Shai-Hulud

Additional Informations

  • Technologies