TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

Jeffrey Francis Bonaobra · 2025-11-27 · Read original ↗

ATT&CK techniques detected

36 predictions
T1195.001Compromise Software Dependencies and Development Tools
99%
"also exhibiting destructive code that wipes user data when unsuccessful in harvesting data. - trend vision one™ detects and blocks the indicators of compromise ( iocs ) outlined in this blog, and provides customers with tailored threat hunting queries, threat insights, and intell…"
T1195.001Compromise Software Dependencies and Development Tools
98%
"shai - hulud 2. 0 campaign targets cloud and developer ecosystems cyber threats shai - hulud 2. 0 campaign targets cloud and developer ecosystems shai - hulud 2. 0 campaign features a sophisticated variant capable of stealing credentials and secrets from major cloud platforms and…"
T1195.001Compromise Software Dependencies and Development Tools
98%
"who trust the affected packages. the attack unfolds in five phases : discovering all packages owned by the victim, downloading their original tarballs, injecting malicious preinstall hooks, bundling the malware installer, and republishing the modified packages as legitimate updat…"
T1195.001Compromise Software Dependencies and Development Tools
97%
"##l encoding and authentication headers. the default search limit of 20 packages can be overridden, and in the actual attack execution, the malware requests up to 100 packages. package download and extraction the malware downloads the original package tarball from the npm registr…"
T1195.001Compromise Software Dependencies and Development Tools
94%
"it searches for. npmrc configuration files in two locations : the current working directory and the user ' s home directory, which are standard locations where npm stores registry authentication credentials. the function reads these files line by line, skipping comments and empty…"
T1195.001Compromise Software Dependencies and Development Tools
93%
"##s every npm package maintained by the victim, republishing them with malicious payloads that run during package installation, creating a wormable vector capable of spreading exponentially across the npm ecosystem and potentially compromising thousands of downstream users who tr…"
T1195.001Compromise Software Dependencies and Development Tools
93%
"##coded secrets, invoking the tool with json output for easy parsing and optional arguments to narrow or customize the scan. it runs the scan with a 10 - minute timeout to avoid long, suspicious execution times, capturing both output and errors. the results are packaged into a st…"
T1195.001Compromise Software Dependencies and Development Tools
92%
"installation - before any legitimate package code runs - with the user ' s full permissions malicious payload bundling the malware bundles a sophisticated multi - stage installer script ( setup _ bun. js ) that handles bun runtime installation and malware execution as mentioned a…"
T1552.005Cloud Instance Metadata API
90%
"##ntial collection the malware implements aws credential harvesting by leveraging the aws sdk ' s built - in credential provider chain. this mechanism automatically searches for credentials in environment variables following the standard aws credential lookup order. the implement…"
T1555.006Cloud Secrets Management Stores
88%
"malware calls the listsecrets api to enumerate available secrets, then retrieves each secret ' s value using getsecretvalue. gcp secrets manager the gcp secret - harvesting module uses advanced authentication handling, first validating access by calling getaccesstoken ( ) from th…"
T1587Develop Capabilities
85%
"##s every npm package maintained by the victim, republishing them with malicious payloads that run during package installation, creating a wormable vector capable of spreading exponentially across the npm ecosystem and potentially compromising thousands of downstream users who tr…"
T1003OS Credential Dumping
84%
"machines by spawning a detached background process using bun. spawn ( ). unref ( ) with the postinstall _ bg = 1 environment variable flag, which allows the parent process to exit immediately so npm install completes in normal timing ( 2 - 3 seconds, avoiding user suspicion ). th…"
T1555.006Cloud Secrets Management Stores
82%
"##s the full oauth token endpoint url by appending the standard token path to the authority host. if the environment variable is not set, the malware falls back to the standard azure imds endpoint. active cloud secret manager exploitation beyond stealing static credentials, the m…"
T1195.001Compromise Software Dependencies and Development Tools
80%
"main entry point of the shai - hulud 2. 0 malware payload. when bun. exe bun _ environment. js executes, this function is invoked at the script ' s top level and orchestrates the entire attack sequence. ci / cd environment checking the malware checks for ci / cd environment varia…"
T1552.001Credentials In Files
80%
"it searches for. npmrc configuration files in two locations : the current working directory and the user ' s home directory, which are standard locations where npm stores registry authentication credentials. the function reads these files line by line, skipping comments and empty…"
T1195.001Compromise Software Dependencies and Development Tools
77%
"timestamp }. this branch naming convention appears legitimate, mimicking common development practices where developers create feature branches for adding code quality tools like linters and formatters. by injecting the malicious workflow on a separate branch rather than directly …"
T1555.006Cloud Secrets Management Stores
74%
"malware must extract the format. json file containing the stolen repository secrets. the download response is received as an arraybuffer, which the malware converts to a node. js buffer object for processing. using a zip archive library ( referenced as tg0 [ " default " ] ), the …"
T1552.001Credentials In Files
73%
"file. when the environment variable is found, the malware attempts to read the referenced credential file and extract the service account private key, client email, and project information. the malware implements platform - aware logic to locate the google cloud sdk configuration…"
T1552.007Container API
72%
"the permissions granted to the service principal. each successful credential extraction is logged with tenant and client ids. if client secret authentication fails, the malware falls back to certificate - based authentication by checking for azure _ client _ certificate _ path, a…"
T1195.001Compromise Software Dependencies and Development Tools
72%
", and the malware also fails to obtain a valid github token, it executes destructive commands that attempt to delete all files in the user ' s home directory. - system information collection the malware then collects detailed system information and github credentials to build a c…"
T1552.005Cloud Instance Metadata API
67%
"malware calls the listsecrets api to enumerate available secrets, then retrieves each secret ' s value using getsecretvalue. gcp secrets manager the gcp secret - harvesting module uses advanced authentication handling, first validating access by calling getaccesstoken ( ) from th…"
T1552.005Cloud Instance Metadata API
66%
"##s the full oauth token endpoint url by appending the standard token path to the authority host. if the environment variable is not set, the malware falls back to the standard azure imds endpoint. active cloud secret manager exploitation beyond stealing static credentials, the m…"
T1587Develop Capabilities
65%
"##l encoding and authentication headers. the default search limit of 20 packages can be overridden, and in the actual attack execution, the malware requests up to 100 packages. package download and extraction the malware downloads the original package tarball from the npm registr…"
T1528Steal Application Access Token
65%
"##po for future reference. - workflow permission verification it calls checkworkflowscope ( ) to validate whether the stolen github token has the workflow oauth scope permission, which is required to manage github actions workflows and runners. it sends a head request to github '…"
T1677Poisoned Pipeline Execution
62%
", and the malware also fails to obtain a valid github token, it executes destructive commands that attempt to delete all files in the user ' s home directory. - system information collection the malware then collects detailed system information and github credentials to build a c…"
T1195.001Compromise Software Dependencies and Development Tools
59%
"machines by spawning a detached background process using bun. spawn ( ). unref ( ) with the postinstall _ bg = 1 environment variable flag, which allows the parent process to exit immediately so npm install completes in normal timing ( 2 - 3 seconds, avoiding user suspicion ). th…"
T1059.004Unix Shell
58%
"_ environment. js ). bun runtime detection and installation the initial phase of the setup script involves detecting whether a bun javascript runtime is already installed on the victim ' s system. this detection process uses platform - specific commands to search the system path …"
T1587Develop Capabilities
56%
"who trust the affected packages. the attack unfolds in five phases : discovering all packages owned by the victim, downloading their original tarballs, injecting malicious preinstall hooks, bundling the malware installer, and republishing the modified packages as legitimate updat…"
T1552.005Cloud Instance Metadata API
52%
"silently failing and setting the path to null rather than throwing exceptions that might alert monitoring systems. azure credential collection the malware also implements a comprehensive azure credential harvesting system that targets the entire spectrum of azure authentication m…"
T1204.002Malicious File
49%
", and. zshrc in the user ' s home directory. payload execution the final phase of the setup script orchestrates the execution of the actual malware payload. the script first checks if bun is available in the system path which would be the case if bun was previously installed or j…"
T1567.001Exfiltration to Code Repository
41%
"##coded secrets, invoking the tool with json output for easy parsing and optional arguments to narrow or customize the scan. it runs the scan with a 10 - minute timeout to avoid long, suspicious execution times, capturing both output and errors. the results are packaged into a st…"
T1567.001Exfiltration to Code Repository
39%
"creates a github repository and establishes c & c infrastructure. it first verifies that github authentication is available to ensure the malware has valid stolen github credentials before proceeding. it then generates an 18 - character random identifier that will serve as the un…"
T1587Develop Capabilities
38%
"it searches for. npmrc configuration files in two locations : the current working directory and the user ' s home directory, which are standard locations where npm stores registry authentication credentials. the function reads these files line by line, skipping comments and empty…"
T1552.007Container API
35%
"the implementation first checks for custom file paths specified through environment variables ( aws _ config _ file and aws _ shared _ credentials _ file ), then falls back to default locations in the ~ /. aws / directory. the malware includes specialized functionality for steali…"
T1552.001Credentials In Files
35%
"machines by spawning a detached background process using bun. spawn ( ). unref ( ) with the postinstall _ bg = 1 environment variable flag, which allows the parent process to exit immediately so npm install completes in normal timing ( 2 - 3 seconds, avoiding user suspicion ). th…"
T1677Poisoned Pipeline Execution
35%
"timestamp }. this branch naming convention appears legitimate, mimicking common development practices where developers create feature branches for adding code quality tools like linters and formatters. by injecting the malicious workflow on a separate branch rather than directly …"

Summary

Shai-hulud 2.0 campaign features a sophisticated variant capable of stealing credentials and secrets from major cloud platforms and developer services, while automating the backdooring of NPM packages maintained by victims. Its advanced tactics enable rapid, stealthy propagation across the software supply chain, putting countless downstream users at risk.