Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

Nov. 27, 2025, 6:24 p.m.

Description

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware targets AWS, GCP, and Azure credentials, as well as NPM tokens and GitHub authentication. It creates malicious GitHub Actions workflows for command-and-control and secret exfiltration. The campaign also leverages cloud secret management services and implements destructive failsafes. Its sophisticated tactics allow for stealthy compromise of developer ecosystems, potentially impacting thousands of downstream users.

External References

https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html
https://otx.alienvault.com/pulse/69285c74af9f622adc6b66d1
Tags
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp

Date

  • Created: Nov. 27, 2025, 2:13 p.m.
  • Published: Nov. 27, 2025, 2:13 p.m.
  • Modified: Nov. 27, 2025, 6:24 p.m.

Indicators

  • f1df4896244500671eb4aa63ebb48ea11cee196fafaa0e9874e17b24ac053c02
  • f099c5d9ec417d4445a0328ac0ada9cde79fc37410914103ae9c609cbc0ee068
  • e0250076c1d2ac38777ea8f542431daf61fcbaab0ca9c196614b28065ef5b918
  • cbb9bc5a8496243e02f3cc080efbe3e4a1430ba0671f2e43a202bf45b05479cd
  • a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a
  • 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0
Download all indicators here!

Attack Patterns

  • Shai-hulud
  • Shai-Hulud

Additional Informations

  • Technology