Analytics Story: NPM Supply Chain Compromise
Description
Behavioral detections and hunting content for detecting npm supply chain compromises, including the Shai-Hulud worm and its 2.0 variant. Focuses on preinstall/postinstall script abuse, credential exfiltration via curl/wget, malicious GitHub Actions workflow injection (shai-hulud-workflow.yml, discussion.yaml), package file patching, cloud credential harvesting, self-hosted runner backdoors, and rapid npm publishing activity.
Why it matters
Recent incidents highlight self-replicating worms ("Shai-Hulud" and "Shai-Hulud 2.0") abusing the npm ecosystem.
After compromising developer credentials, malicious packages execute during preinstall/postinstall phases to exfiltrate secrets, plant malicious GitHub Actions workflows, register self-hosted runner backdoors, and republish tampered packages to spread across the ecosystem.
Shai-Hulud 2.0 (November 2025) introduced new payload files (setup_bun.js, bun_environment.js), exfiltration artifacts (cloud.json, contents.json, environment.json, truffleSecrets.json), and a backdoor workflow (discussion.yaml) that enables remote command execution via GitHub Discussions on compromised self-hosted runners named "SHA1HULUD".
The campaign has affected 25,000+ repositories across ~500 GitHub users, with propagation rates of ~1,000 new repos every 30 minutes.
This story provides Linux and Windows analytics using Sysmon, auditd, and GitHub audit logs. Prioritize monitoring npm installs, curl/wget posts, node_modules file patching, workflow YAML writes under .github/workflows, self-hosted runner registrations, and cloud credential file access.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| GitHub Organizations Audit Logs | Other | github:cloud:audit |
github |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| Sysmon for Linux EventID 11 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| GitHub Enterprise Audit Logs | Other | httpevent |
http:github |
| Cisco Isovalent Process Exec | Other | cisco:isovalent:processExec |
not_applicable |
References
- https://en.wikipedia.org/wiki/Software_supply_chain_attack
- https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/
- https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
- https://snyk.io/blog/ua-parser-js-compromised-in-supply-chain-attack/
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
- https://github.com/SigmaHQ/sigma/pull/5658/files
Source: GitHub | Version: 3