Summary
- Shai Hulud v2 infected 500+ npm packages (700+ versions) and spilled into Java/Maven — yikes.
- Compromised packages run a preinstall loader that downloads Bun and executes a 10MB obfuscated payload silently.
- Payload exfiltrates env vars (GITHUB_TOKEN, NPM_TOKEN, AWS keys), scans for secrets; C2 self-heals via GitHub.
These days, supply chain attacks targeting npm are not rare. It’s been a couple of months, but we’re back with yet another attack—this one affecting over 500 packages. Yikes.
A sophisticated supply chain attack campaign dubbed “Shai Hulud v2” has compromised hundreds of packages within the npm ecosystem and has now spilled over into Java/Maven artifacts. The attack has already affected over 500 packages and 700 versions, infiltrating software from major vendors including Zapier, Postman, PostHog, AsyncAPI, and ENS Domains.
From what we can gather, the infection vector relies on a two-stage loader designed to evade detection. Compromised packages contain a preinstall script in their package.json file that executes a file named setup_bun.js. This script acts as a stealthy loader that automatically detects the host operating system and architecture. It then locates or downloads the Bun runtime—a fast JavaScript runtime—and executes a heavy, 10MB obfuscated payload titled bun_environment.js. This process suppresses all standard output and error logs, so the malicious background processes remain undetected while the package is installing.
It should be noted that the issue actually seems to spill over into the Maven ecosystem. Researchers observed that the malicious payload was present in org.mvnpm:posthog-node, a Maven artifact automatically generated from npm packages. This confirms that the automated bridging of software ecosystems can inadvertently bridge security vulnerabilities, effectively allowing JavaScript-based malware to contaminate Java environments. Yikes.
The malware employs a resilient “self-healing” C2 infrastructure. Upon execution, it searches public GitHub repositories for a specific beacon phrase: “Sha1-Hulud: The Second Coming.” If found, the malware retrieves a hidden, triple-base64 encoded GitHub access token from the repository. This token is then used as the primary credential for data exfiltration. This lets the attackers just “re-seed” the campaign by creating new repositories if the previous ones are taken down, so it’s actually quite resistant to takedown efforts.
The malware’s primary goal appears to be massive credential theft. It captures all environment variables, including GITHUB_TOKEN, NPM_TOKEN, and AWS_ACCESS_KEY_ID. Furthermore, it downloads and executes the TruffleHog security tool to aggressively scan the entire filesystem for hardcoded secrets.
If you want to read more about the ins and outs of this issue, this report goes pretty in depth.
Source: Socket
