← All stories

Datadog Security Labs

A runtime security approach to detecting supply chain attacks

2025-11-05 · Read original ↗

ATT&CK techniques detected

6 predictions

T1195.001Compromise Software Dependencies and Development Tools

97%

"a runtime security approach to detecting supply chain attacks in september 2025, the npm ecosystem was hit by yet another supply chain attack. this time, an infostealer with worm characteristics, named shai - hulud after the giant sandworm of the dune universe, found its way into…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

89%

"secure your ci / cd pipelines. diving into the shai - hulud payload before understanding how to detect this threat, we have to take a closer look at its payload. there has been a lot of analysis on this, so a small recap here will suffice. as is common in software supply chain ma…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

84%

"##ly, shai - hulud earns its worm characteristics through a final, automated step. if the malware successfully discovers additional npm or github publishing credentials, it immediately uses them to create and publish a new version of a package it has access to, placing the exact …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

83%

"_ package _ install hasoptionalgroupbyfields : false cases : - name : malicious _ package _ installation status : high notifications : [ ] condition : tactics _ on _ package _ install > 2 as you can see, the backend rule simply counts the different tactics in use by events genera…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

74%

"set : name : correlation _ key default _ value : ' ' expression : ' " package _ install _ $ { builtins. uuid4 } " ' scope : process inherited : true this agent rule helps us gain visibility into the details necessary to identify malicious activity. first, the existing parent corr…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

36%

"* " | | process. args = ~ " * ins * " | | process. args = ~ " * inst * " | | process. args = ~ " * insta * " | | process. args = ~ " * instal * " | | process. args = ~ " * isnt * " | | process. args = ~ " * isnta * " | | process. args = ~ " * isntal * " | | process. args = ~ " * …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Detecting software supply chain attacks through runtime security.